Social Media Marketing Agency which drives relevant clients to you

 Are you familiar with the term “Social Media Marketing”? If no, at least you must have heard it once in your life spent till now. Leveraging the strength of social media marketing through product promotion and content can really help to grab the attention of maximum audience in more or like dramatic way.

Social Media Marketing, in relation to business point of view, is becoming viral nowadays without pulling in a lot of resource. It’s a vital term with major fundamentals to be established. Focusing on them can literally help an agency to succeed. All social media sites such as Twitter, Facebook, YouTube, MySpace and likewise as used for the process of social media marketing in order to increase the attention and traffic of costumers. As compare to the traditional marketing, taking the advantage of the social aspect of the web is an opportune way to connect the people to an effective level.  

Social Media Marketing Agency is popular for its versatile and cheap marketing as it is a source of a platform for the marketers to speak their word out and develop a relation between themselves-customers and vice versa. Being an easiest pathway for communication and judgment of the response by the customers to any commodity through direct means is letting the marketers to rely on Social Media Marketing Agency for their stability. Currently, it is the most influential and powerful mean of advertisement for brands to increase the amount of their customers and fame.

Specially focusing on enormous means of social media marketing, Commtel Digital is offering their expertise to the clients in the field of social media marketing. They focus on their researches, online advertisements, digital strategies, social media or application development services for the well-establishment of the brands. Precisely, their motive is to pull in a lot of effort for the well-being of their customers.

Social Media Marketing involves putting true efforts in the development of such content in relation to the services and products that catch the attention of the customers and make the readers to share it on other numerous related networks. More or like others, Commtel Digital Agency promise you more recognition of brand, brand loyalty, higher level of conversion, more brand authority, higher rate of inbound traffic, better rankings in search engine, low marketing costs and high customer insights. Currently, social media marketing is successfully ruling 76% of the business world while maintaining its reputation.

Obviously, you cannot deny the power of social media marketing in today’s world as your competitors are already facilitating themselves and gaining a reputation in their respective fields. Rationally, it’s never too late to move so don’t miss you chance to proceed as the sooner you begincO6jJ2 - Social Media Marketing Agency which drives relevant clients to you, the sooner you will accomplish your goals! All the best!

Social Media Marketing: new career ideas and easy tips to follow


Social media marketing has risen to the point where delivering advertisements have become possible through the touch of a mouse. It helps companies, both large and small, produces web traffic, assists in product branding and importantly, amplifies sales. The expansion of social media marketing has become a portal to new careers. These are interesting new careers that you can be because of social media marketing. First, is a social media marketing manager, which you will be tasked to oversee social media marketing websites for clients.  Search online, try enhancing your knowledge because there are a number of social media websites that are helpful, informative and will greatly improve you marketing skills.  You can also try and become a copywriter for social media, where you can write articles or posts for clients or companies. The importance of your job relies on your ability to post interesting ideas and updates that will add up to the traffic in your website. A reputation manager may also be needed in social media marketing. Remember that you will be dealing with marketing in the internet and you won’t be able to control the statements made by the competition, a reputation manager makes sure that these negative information will be removed and he improves the rating of the company. The most important element in online social media marketing is the back links. A back link builder makes sure that there are links created that would lead back to your website. Your site’s popularity in search engines is done by keeping tabs on the number of clicks on your site every time it pops out in the results. It is important that your back link builder is brilliant and puts to use all the elements of social media in creating high quality back links to increase your visibility in search engine, thus adding up to the traffic that your site will get.Social media marketing is a low cost marketing tool and promoting your business through this can promote your business not only in a local area but globally. There are simple steps in optimizing the visibility of your business. Join a suitable social media network for your business. Choose something that a lot of people are using and at the same time can connect to your company. Get creative and have promotions by making use of videos, images, contests and a lot more. Social media marketing has no limit, and your consumers are interested in products that constantly have interesting and fun stuff going on. Never forget to add the company’s information in your page, have a bio, and add interesting facts about the company that your customers can read about. With social media marketing, you also need to be an active member of the online society. Always put up updates and be warm and welcoming when dealing with your customers. Add interesting websites, videos and pictures in your website. Traffic to your website adds up when you put in additional figures in your account. Lastly, never forget to promote your products and services. Let your customers put up comments and suggestions and do not forget to add a reply to them. Customers love it when they are being accommodated and heard out. Social media marketing is the most innovative of all kinds of marketing because here, your advertisement is two-way: you give out information and at the same time, your buyers or customers can react and respond to you.

Source: Free Articles from


FindMaster is a Vancouver based Search engine marketing company that has intimate knowledge managing all sizes of pay per click and internet marketing campaigns.For more information on Vancouver search engine marketing company and pay per click advertising 101 check us out at!

Content Marketing Makes Good Business Sense


Content marketing is a fundamentally sound online marketing strategy that offers many benefits. Not only does using content as a promotional tool increase your exposure and credibility but it also makes people feel good about their buying decisions. In fact consistently using this strategy online helps to increase your chances for business success by minimizing buyers’ resistance. Most online marketers put all the risk on customers by ‘pressuring’ them into a buying decision with the use of outlandish claims. Sales tactics such as ‘for a limited time only’ or the ‘one time offer’ that you will never see again are commonly used to hurry purchasing decisions.Using content to ‘educate’ consumers decreases their ‘perceived’ risk in the way in which this strategy approaches people online.Here are 3 ways how.Free and Useful ContentThe offer of free content is made by merely publishing and distributing it online. It is now out there for all to see. People are able to choose as to whether they want to view the information or not. Their level of acceptance with the content presented to them is based upon the quality of the information contained within.When using content to create awareness or to educate the reader, people deem it to be more an asset to them as oppose to being a pushy sales tactic. With this attitude they are therefore more receptive to viewing the material but the key is that it must be useful.People Can Freely Choose and UsePeople are able to judge and decide on their own whether the information they view is worthwhile and helpful. Once again the information is produced to create a greater awareness or to educate the reader. It is entirely up to the individual reader as to whether they will even view the content or if they find it interesting or helpful.Quality and Consistency Gains TrustThe more useful the information is the more effective it becomes towards helping the creator build an authoritative reputation on the subject matter. When quality information is made available on a frequent basis it tends to further strengthen the trust readers have in the author of the material itself. At this point people have freely made the choice to view published material, judge it to be useful or not and make the decision as to whether they trust the author. These are all ‘voluntary’ acts that help make people feel more in ‘control’ with their choices and decisions. They have gained information, become more educated on certain subject matter and feel better about making any decisions concerning this subject. This is the difference between freely making a well thought out decision without external pressure as opposed to feeling they have been ‘conned’ into making a buying decision. At this point online marketers are in a better position to make an offer since they gained the trust of people by educating them and without applying pressure. This increases the likelihood of a person making a decision to buy. The perceived risk to the customer is now reduced and they can make their decision in a more relaxed fashion as opposed to being hurried by a virtual stranger.Content marketing is one of the best strategies to use online to increase your chances for business success. This particular online marketing strategy not only boosts your exposure but it also help to minimize customer resistance if used correctly as reviewed above. All too often it is the customers who take the risk when making a purchase due to the pushy sales tactics of many online marketers. By allowing would be buyers the chance to further educate themselves with useful content before making a purchase you are building a stronger bond with them. After all it is easier to resell satisfied customers as opposed always depending upon having to find new ones.

Article Tags:
Content Marketing, Online Marketers

Source: Free Articles from


TJ Philpott is an author and Internet entrepreneur based out of North Carolina.To learn more about how to use content marketing to grow your business and to also receive a free instructional manual that teaches valuable niche research techniques simply visit:

4 Strategies For Effective Email Marketing

An email marketing campaign is a low cost and fast way to reach out to your customer base. But there is no guarantee that any subscriber will stay on your list forever. You have to contunially proving value so that they always feel that you are providing something that is of benefit to them.

1. How Frequently Should You Send An Email?

There is no right or wrong answer on how often you should send an email to your database for it to be a successful email campaign. The main issue for effective email marketing is to be consistent with your mailings and don’t just email once in awhile most of the time and then blast them with emails everyday for 2 weeks just because there’s a promotion or sale. As long as you’re providing value to your subscribers, there is no reason why you cannot email everyday.

2. Always Provide Value.

Reliable and honest product reviews are things that the people on your list will like to read and hear about. Don’t make it a blatant sales pitch about a new product but rather give your views on how the product does, or does not live upto your expectations. If someone emails you asking a question, always reply to that person individually. You can then create an email marketing campaign based on answering that question for your whole list, as they could be struggling with the same problem.

3. Be Available.

An effective email marketing campaign will answer the questions or problems that are challenging the people on your list. The only way you can find out what these problems are is ask the people on your list. Naturaly, the bigger your list grows, the more challenging this will become so you have to adapt your business model and outsource some of your tasks. If you take the time to help others, your reputation will start to spread and you’ll have more people who will want to be on your list and who will buy your products.

4. Be Honest.

When your readers feel a connection to you it means letting yourself be seen as human. Your subscribers will love it if you’re honest and transparent with them. Effective email marketing is about building relationships with people so don’t think that you can’t make mistakes and share them with the people on your list. OftenPzlQdH - 4 Strategies For Effective Email Marketing, it will endear you to your list even more and you’ll become known as a genuine marketer within your niche.

Attractive Branding and List Building Skills: 5 Important Keys In List Building and Branding Online

Selling online can be almost impossible if you have to approach your niche target market one by one. What’s worse is trying to build a profitable list and brand yourself online without the necessary tools, which can be costly and time-consuming if carried out one person at a time. Wouldn’t it be easier if you can just send everyone a promotional email with few clicks on your mouse? This is highly possible if you have a list of potential clients who are most likely to buy from you. Here are the 5 key ways to create more money with list building and branding:

1. Construct your own squeeze page. This is one of the best ways to get the contact information of your target market. Send them to a page where they don’t have much choice but to provide their email addresses or they won’t be able to go on any other page of your site. Freebies like pens or sample of your products in exchange of their contact information is a very good way to lighten the load and for your prospect to gain more trust with you.

2. Make your squeeze page simple and short. Online users don’t have much time to fill out one-page forms. So, ask them for information that matters the most – their names and their email addresses.

3. Manage your email list through the use of an autoresponder. Autoresponders can do your job even if you are not online, making your job easier and automatic at the same time. The best thing about this tool is that it allows your list members to opt-out at any give time when they choose not to receive any more messages from you. This will protect you from future spam complaints.

4. Put up a guest book on your website. Run a promotion like raffles for those who visits your site and all they have to do is leave their names and email addresses to get the chance to win. Don’t forget to inform them that you will be sending them promotional emails to the email address that they have provided so you won’t be accused of spamming.

5. Keep their contact information secure. Never share your list with third party without the permission of your list members. This will tarnish your credibility and you will eventually lose clients because of it.

Using these key points will help you tremendously while building your list and branding yourself. You want your prospect to ultimately trust you and when they feel comfortable with you they will usually buy your products or join you in your business ventureOIZ1ZR - Attractive Branding and List Building Skills: 5 Important Keys In List Building and Branding Online, which becomes a win-win situation for both parties.

Facebook critics launch rival oversight board – Reuters

SAN FRANCISCO (Reuters) – Critics of Facebook Inc FB.O, including the organizers of an advertising boycott against the company, on Friday launched their own oversight board to review the company’s content moderation practices.FILE PHOTO: Facebook CEO Mark Zuckerberg speaks about privacy during his keynote at Facebook Inc’s annual F8 developers conference in San Jose, California,…

SAN FRANCISCO (Reuters) – Critics of Facebook Inc FB.O, including the organizers of an advertising boycott against the company, on Friday launched their own oversight board to review the company’s content moderation practices.

FILE PHOTO: Facebook CEO Mark Zuckerberg speaks about privacy during his keynote at Facebook Inc’s annual F8 developers conference in San Jose, California, U.S., April 30, 2019. REUTERS/Stephen Lam

The launch comes a day after Facebook’s officially-mandated Oversight Board said it would start work in mid-late October, nearly a year behind schedule.

The new group, which bills itself as the “Real Facebook Oversight Board,” counts among its initial members the heads of three U.S. civil rights groups, the former president of Estonia and the former head of election integrity at Facebook.

The delay of the launch of the official Facebook-funded board means it is unlikely to review cases related to the Nov. 3 U.S. election, which has generated some of the most contentious issues faced by the world’s biggest social network.

The rival board plans to move faster, it said in a statement. It will hold its first general meeting next week, and focus squarely on election topics, including voter suppression, election security and misinformation, it said.

Facebook “responds to criticism with bad faith statements and cosmetic changes,” said board member Roger McNamee, an early investor in Facebook who turned critical of its leaders over their handling of misuse of the platform in the 2016 election.

“The Real Oversight Board will act as a watchdog, helping policymakers and consumers defend against a renegade platform.”

Members of the rival board plan to broadcast their meetings in weekly shows on Facebook Live, according to the statement.

A Facebook company spokesman hit back in a statement on Friday.

“We ran a year-long global consultation to set up the Oversight Board as a long-lasting institution that will provide binding, independent oversight over some of our hardest content decisions,” he said. “This new effort is mostly longtime critics creating a new channel for existing criticisms.”

The new group said it was being funded by Luminate, a philanthropy backed by The Omidyar Group, but did not disclose a funding amount.

Facebook has committed $130 million to its Oversight Board project, which it said would cover operational costs for at least six years.

Reporting by Katie Paul; Additional reporting by Elizabeth Culliford; Editing by Tom Brown and Sonya Hepinstall


Facebook will reject political ads claiming an early victory in November

Facebook will reject ads from Donald Trump and Joe Biden claiming victory before the winner of the US election is declared. The change is an update to a policy CEO Mark Zuckerberg announced on September 3rd, which banned political ads the week before the election, as reported by Fast Company. That policy would not have…

Facebook will reject ads from Donald Trump and Joe Biden claiming victory before the winner of the US election is declared.

The change is an update to a policy CEO Mark Zuckerberg announced on September 3rd, which banned political ads the week before the election, as reported by Fast Company. That policy would not have stopped Trump or Biden from running ads directly after the election. Either presidential candidate could have started claiming victory at 12:01AM PT on November 4th.

While the results of the presidential race are typically announced the night of the election, this year, the process is expected to take longer due to mail-in voting. Experts say that because more Democrats are expected to vote by mail than Republicans, Trump could hold a lead the night of the election but slip behind Biden as more votes are counted. This scenario makes it critical that misinformation about the results of the election doesn’t go viral before a winner is officially announced. While the new policy is not directed at Trump, fears about the current president refusing to concede could be behind the clarification.

“We will be rejecting political ads that claim victory before the results of the 2020 election have been declared,” the tech giant said in a statement to Fast Company.

In early September, Zuckerberg announced that the company would stop accepting new political ads the week before the election. “It’s important that campaigns can run get out the vote campaigns, and I generally believe the best antidote to bad speech is more speech, but in the final days of an election there may not be enough time to contest new claims,” he wrote in a Facebook post.

As part of the expanded policy, Facebook said it will also label posts that seek to spread doubt about the legitimacy of the election as well as content from political campaigns claiming a premature victory. The new rules are part of the company’s ongoing efforts to stop election interference across its platforms.

Trump Facebook Ads With ‘Real People’ Actually Feature GOP Political Operatives

Kim Sherk, president of the Georgia Federation of Republican Women, identified only as a “small business owner” in a new Trump ad (left) and Sherk at the White House in an undated photo.Screenshot: Facebook/Cobb County Republican PartyPresident Donald Trump’s re-election campaign is currently running Facebook ads with “real people” who support the president. And while…

gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== - Trump Facebook Ads With 'Real People' Actually Feature GOP Political Operatives

Kim Sherk, president of the Georgia Federation of Republican Women, identified only as a “small business owner” in a new Trump ad (left) and Sherk at the White House in an undated photo.
Screenshot: Facebook/Cobb County Republican Party

President Donald Trump’s re-election campaign is currently running Facebook ads with “real people” who support the president. And while it’s accurate to say these people are “real” in the sense that they’re human beings and not robots from the TV show Westworld, they’re not just average people off the street. Many are political operatives.

Take this ad that’s currently running on Facebook. It shows Kim Sherk, who’s not identified by name in the ad, and yet is the president of the Georgia Federation of Republican Women. A Georgia newspaper, the Marietta Daily Journal recognized Sherk, which might be why these ads are running in states like California, Illinois, and Mississippi, according to the Facebook ad library, rather than her home state of Georgia.

“As a small business owner, President Trump has been the greatest president we have seen,” Sherk says in the video, which is also available on Trump’s official YouTube page. “He has increased jobs. I know there are more women who have been employed and minorities than ever before.”

Sherk ends the video by thanking President Trump for the “greatest economic environment” she’s ever seen in her lifetime. But the ad never identifies Sherk as a political operative, let alone one who’s visited the White House, as we can see from a photo posted to the Cobb County Republican Party website.

As the Cobb County Republican Party website explains:

Kim Sherk has served in numerous positions in the Republican Party and the Republican Women. She is currently the President of the Georgia Federation of Republican Women and immediate past President of the Cobb County Republican Women’s Club.

Before being elected 1st Vice-Chairman, she served as Political Director and Secretary for the Cobb County Republican Party.

G/O Media may get a commission

Sherk’s group, the Georgia Federation of Republican Women, is currently recruiting volunteers to “monitor” polls on Election Day to make sure the election is “free from fraud.” President Trump has repeatedly said that the election will be rigged, and that the only valid outcome is a victory for his campaign. In fact, Trump said at a press conference yesterday that he wouldn’t accept a peaceful transition of power if he loses to Joe Biden, adding that it would only be peaceful if they got rid of the “ballots.” Trump was presumably referring to mail-in ballots, which he incorrectly insists are inherently fraudulent.

Sherk appears to be one of many people who are showing up in Trump ads on YouTube and Facebook who aren’t acknowledged as being close to the Trump campaign. Instead, they’re called “real people,” which, again, is technically accurate. These are human beings, as far as Gizmodo can tell. But the average voter probably has a different idea of “real people” in political ads that doesn’t include a current operator in a given state’s political machinery. Sherk did not immediately respond to an email early Thursday morning.

Another ad currently being run by the Trump campaign on Facebook shows viewers a group of people sitting in a circle and talking about the dangers of a potential Biden presidency. While it might look like a typical focus group, featuring average people off the street, the video is anything but. Some of the people in the video are former and aspiring politicians, including one woman who’s currently running for the U.S. House in Minnesota and a man who was a delegate at the Republican National Convention in both 2016 and 2020.

The new ad, which is being pushed out hard in Iowa, according to data from Facebook’s political ad library, includes women like Fern Smith, who’s not identified by name in the ad, but says she would be “very scared if Joe Biden became president.”

gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== - Trump Facebook Ads With 'Real People' Actually Feature GOP Political Operatives

Fern A. Smith, a Republican candidate for the Minnesota legislature in 2020, appearing unnamed in a new Trump ad.
Screenshot: Facebook

Incidentally, Smith is running as a Republican in Minnesota’s House District 51B. Smith has endorsements from the Minnesota Gun Owners PAC, the Minnesota Police, and Peace Officers Association, according to her campaign website. Smith also has the endorsement of Minnesotans For Affordable Health Insurance, a group that opposes Medicare For All and supports private health insurance. The group also opposed Obamacare in 2014, according to its Facebook page, though it’s not clear who funds the PAC.

Curiously, there doesn’t appear to be any mention of Trump on Smith’s website, despite the fact that she’s appearing in ads for him. Fern did not immediately respond to a request for comment early Thursday.

gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== - Trump Facebook Ads With 'Real People' Actually Feature GOP Political Operatives

Screenshot: Fern A. Smith campaign website

Another person seen in the focus group-style ad is Steve Wenzel who says in the Facebook ad that “President Trump is the right person for this nation’s economy.” Wenzel is also not named in the ad.

Wenzel was a Minnesota state legislator in the 1970s and ‘80s and served as a Democrat, something that local media seems to relish. But most importantly, Wenzel was a delegate at the Republican National Convention in both 2016 and 2020, according to the Brainerd Dispatch newspaper in Minnesota. Wenzel attended the convention in 2016; this year’s convention was virtual.

“I was greatly honored to be again elected a delegate from Minnesota to the Republican National Convention and to be able, again as in 2016, to vote to re-nominate President Trump for a second term as our president,” Wenzel said in a press release, according to the Dispatch.

“President Trump’s leadership led our nation to a great economic boom and will again restore our economy when the China virus/pandemic is gone,” Wenzel continued. “President Trump also restored America’s national defense and our military to one of strength following President Obama’s decimation of our national defense budget and military strength.”

gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== - Trump Facebook Ads With 'Real People' Actually Feature GOP Political Operatives

Steve Wenzel, a delegate for the Republican National Convention in 2016 and 2020, in a Facebook video ad being billed as “real people” for President Trump.
Screenshot: Facebook

Wenzel told the Star Tribune newspaper last month that he used to be a Democrat back when they supported labor, but now the Democrats only support “regulations and environmentalism,” according to Wenzel. The Star Tribune story didn’t mention anything about Wenzel calling covid-19 the “China virus.”

There’s nothing wrong with a political delegate giving their testimony about why they support a candidate, but there’s something a little weird about explicitly calling them “real people” in your social media advertising.

gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== - Trump Facebook Ads With 'Real People' Actually Feature GOP Political Operatives

Screenshots of the Trump video ads appearing on Facebook, with text that says these are “real people” giving testimonials.
Screenshot: Facebook Ad Library/Donald J. Trump Facebook

Every political campaign in history has stretched the truth a bit to put out a positive message. But Trump’s campaign, aside from being racist and fascist, has been particularly deceitful when it comes to using “real people” in their ads. Even Trump’s “opponents” like antifa aren’t represented accurately. There are real people on the street right now who identify as anti-fascist, but the Trump campaign has repeatedly used old photos and photos of political demonstrations in other countries.

Again, technically all of the people in these latest Facebook ads are “real” people. But it starts to make you wonder why they can’t just talk exclusively to small business owners that don’t also happen to be working for the Republican Party. There are a lot of people out there who support President Trump. Millions, in fact. But perhaps those aren’t the ones that Trum

Facebook Will Ban New Political Ads in Week Before Election Day

Here’s what you need to know: President Trump’s comments about Russia came as pressure has increased for him to sound alarms about the poisoning of Aleksei Navalny, a Russian opposition leader. Credit…Anna Moneymaker for The New York Times At a small campaign rally in Latrobe, Pa., President Trump on Thursday praised himself for wanting to…

Credit…Anna Moneymaker for The New York Times

At a small campaign rally in Latrobe, Pa., President Trump on Thursday praised himself for wanting to “get along” with Russia and said that when he hears people talking about Russia in the news he “turns it off.”

“They always say, ‘Trump is radical, he is off the — he is too radical, he will get us in wars,’” Mr. Trump said. “I kept you out of wars. What happened in North Korea? I got along with Kim Jong-un. They said that’s terrible. It’s good that I get along. If I get along with Russia, is that a good thing or bad thing? I think it’s a good thing.”

He went on, mentioning Representative Adam Schiff, “These maniacs always talk about Russia. They never talk about China. It is always Russia. I heard it starting again. They said somebody spoke to Russia, Russia, Russia, Russia. The total maniacs, shifty Schiff is a total maniac. I can’t even listen.”

“Getting along with countries and a good — is a good thing,” he added. “It is a very good thing, not a bad thing. It is a very good thing.”

Mr. Trump’s comments came as pressure has increased on the president to sound alarms about the poisoning of Alexei Navalny, a Russian opposition leader. It also came a few weeks after a bipartisan Senate Intelligence Committee report detailed ties between the Trump campaign in 2016 and Kremlin officials, and as the Department of Homeland Security issued a fresh warning on Thursday that Russians were trying to foment disinformation by amplifying language about voter fraud.

At the rally, Mr. Trump also mocked his Democratic opponent, former Vice President Joseph R. Biden Jr., for wearing a mask, and suggested it was a sign he has a psychological need to feel safe.

“Did you ever see a man who likes to mask as much as him?” Mr. Trump asked the crowd, to laughter, after offering a caveat that people should wash their hands and wear masks in close quarters.

“A lot of times he has it hanging down because it gives him a feeling of security,” Mr. Trump said, bringing his hand to his ear to imitate how Mr. Biden’s mask drapes one side of his face when he takes it off.

“If I was a psychiatrist, I would say this guy has some big issues. I don’t know. Hanging down,” Mr. Trump said. Until Thursday night, Mr. Trump had been more subdued about mask-wearing to prevent the coronavirus. After months of playing down the coronavirus and making fun of people who wore protective masks, the president had to be persuaded to advocate mask-wearing, which top health experts have said is crucial to limiting the spread of Covid-19.

And he again suggested that people vote twice — once by mail and once in person — a suggestion that is illegal, and the kind of voter fraud that he has railed against.




‘Fear Doesn’t Solve Problems,’ Biden Says During Kenosha Visit

The Democratic nominee for president, Joseph R. Biden Jr., said he was optimistic about progress that can be made toward racial justice and discussed his visit with Jacob Blake’s family in Kenosha, Wis.

I just spent an hour or more with the family as I got off the airplane — had an opportunity to spend some time with Jacob on the phone. He talked about how nothing was going to defeat him. How whether he walked again or not, he was not going to give up. I think ultimately what’s been unleashed with a lot of people is they understand that fear doesn’t solve problems, only hope does. I am, I really am optimistic. I promise you, win or lose, I’m going to go down fighting, I’m going to go down fighting for racial equality, equity across the board. We hold these truths to be self-evident that all men and women are created equal, endowed by their creator. Well that may be what your birthright was, but it’s very different than actually being treated equally. Being treated the same. Everything from Black mortality rates and pregnancy straight to educational opportunities, and everything in between. But the country’s ready. And if they’re not, it doesn’t matter because there are certain things I ain’t going to change, certain things worth losing over. And this is something worth losing over — if we have to — but we’re not going to lose.

03elections briefing ledeitem2 videoSixteenByNine3000 - Facebook Will Ban New Political Ads in Week Before Election Day
The Democratic nominee for president, Joseph R. Biden Jr., said he was optimistic about progress that can be made toward racial justice and discussed his visit with Jacob Blake’s family in Kenosha, Wis.CreditCredit…Kriston Jae Bethel for The New York Times

Two days after President Trump visited Kenosha, Wis., without meeting with the family members of Jacob Blake, a Black man shot by a white police officer, Joseph R. Biden Jr. sought to send a very different message with his own trip to the city, which is at the center of the national upheaval over policing and protests.

Mr. Biden met privately with several of Mr. Blake’s closest relatives for an hour as soon as his plane landed in Milwaukee, and he spoke by phone with Mr. Blake.

“The family was grateful for the meeting and was very impressed that the Bidens were so engaged and willing to really listen,” a lawyer for the family, Ben Crump, who participated by phone, said in a statement.

Mr. Crump said that they had discussed the treatment of minorities by the police, Mr. Biden’s selection of Senator Kamala Harris as his running mate and Mr. Biden’s plans to bring about change. Mr. Crump said that it “was very obvious that Vice President Biden cared” and that Mr. Biden had extended to Mr. Blake “a sense of humanity, treating him as a person worthy of consideration and prayer.”

Mr. Biden then convened a community meeting at Grace Lutheran Church in Kenosha, which is still reeling after the shooting of Mr. Blake and subsequent protests that saw sporadic outbreaks of violence and looting.

Mr. Biden listened as a series of speakers talked about issues ranging from racism in the legal system to the challenges facing business owners who are confronting unrest in the city.

“Hate only hides,” Mr. Biden said, as he described the ways, in his view, Mr. Trump has emboldened bigots. But he predicted that the country had reached an “inflection point.”

“I really am optimistic,” Mr. Biden said as he described the possibilities of a more just future. “I promise you, win or lose, I’m going to go down fighting. I’m going to go down fighting for racial equality, equity across the board.”

He added: “There are certain things worth losing over, and this is something worth losing over if we have to, but we’re not going to lose.”

Mr. Biden has largely remained close to his Delaware home since the coronavirus pandemic broke out in the United States, and the trip to Kenosha was a significant moment for him.

Republicans spent their convention last week painting a picture of a Democratic Party that condones street violence and is eager to slash funding from the police, distorting Mr. Biden’s stance on police funding in the process. Mr. Biden repudiated that characterization in a speech in Pittsburgh on Monday, declaring: “Rioting is not protesting. Looting is not protesting.”

Also on Thursday, Mr. Trump is headed to Latrobe, Pa., east of Pittsburgh, where he will rally supporters in a pivotal state and trumpet a federal grant for the city’s airport.

The dueling events illustrate the growing pressure each candidate is facing from his own party. Democrats are eager for Mr. Biden to start appearing in battleground states, particularly in Midwestern states like Wisconsin where Hillary Clinton assumed victory but fell short.

Credit…Anna Moneymaker for The New York Times

President Trump on Thursday expanded on his suggestion that people in North Carolina stress-test the security of their elections systems by trying to vote twice in the same election, a move state election officials have explicitly called out as a felony.

In a series of tweets Thursday morning, Mr. Trump sought to clarify his call for voters to both send in an absentee ballot and vote in person, arguing that by doing so, voters would provide a check against the mail voting system he has assailed and ensure that their vote was being tallied.

“In order for you to MAKE SURE YOUR VOTE COUNTS & IS COUNTED, SIGN & MAIL IN your Ballot as EARLY as possible,” he wrote on Twitter. “On Election Day, or Early Voting, go to your Polling Place to see whether or not your Mail In Vote has been Tabulated (Counted). If it has you will not be able to Vote & the Mail In System worked properly. If it has not been Counted, VOTE (which is a citizen’s right to do).”

Twitter added a warning label to his tweets, saying that they violated the company’s terms of service and its policies around election integrity but that the company would leave them up because it was “in the public interest” to do so.

Patrick Gannon, a spokesman for the North Carolina State Board of Elections, told The Times in an interview on Wednesday that officials would “strongly discourage voters from going to the polls on Election Day to find out whether their absentee ballot has been counted, especially since they can determine that at home.”

“There will be social distancing in place on Election Day,” he said. “We want to make sure the process flows smoothly.” He also noted that the state’s voting system would prevent a person from voting twice, because only the first vote recorded would be counted.

Karen Brinson, the executive director of the state board of elections, reiterated in a statement on Thursday that there were “numerous checks in place” to prevent “double voting” in North Carolina, and made plain: “It is illegal to vote twice in an election.”

Mr. Trump made his initial comment in a briefing with reporters on Wednesday.

“Let them send it in and let them go vote, and if their system’s as good as they say it is, then obviously they won’t be able to vote,” the president said. “If it isn’t tabulated, they’ll be able to vote.”

Reyna Walters-Morgan, the director of voter protection and civic engagement for the Democratic National Committee, said Thursday that Mr. Trump had “encouraged his supporters to commit voter fraud” and stressed that “voting by mail is a safe and secure way for Americans to participate in our democracy.”

As the number of people planning to mail in their ballots has increased, Mr. Trump has repeatedly made false claims about widespread fraud in mail voting. His latest suggestion, that voters commit that same sort of fraud he has denounced, is one he has discussed privately with aides in recent weeks amid concerns he is depressing turnout among his base by raising alarms about the security of the process.

The day after President Trump suggested that North Carolina voters attempt to vote twice to test if “their system’s as good as they say it is,” Facebook said it would remove posts of users who shared video supporting the president’s suggestion, or reposted it without proper context.

Voting twice is illegal across the country and is a felony in North Carolina.

Andy Stone, a Facebook spokesman, said that any shared video that showed only Mr. Trump’s comments “violates our policies prohibiting voter fraud, and we will remove it unless it is shared to correct the record.” Facebook said it would leave the initial video and news reports up and would allow shares of the video if they contained correct information.

The move came as the president seemed to attempt to clean up his comments on Twitter Thursday morning, telling supporters to mail in ballots as soon as possible, then go to the polls on Election Day to check if their vote had been recorded.

He later posted those same comments to Facebook, which slapped a warning label under the post: “Voting by mail has a long history of trustworthiness in the US and the same is predicted this year.” The label linked to Facebook’s voting hub, which includes fact checks on voting information and more details on voting, including by mail.

Facebook has been putting warnings under posts from Mr. Trump that have carried dubious claims and falsehoods about voting, but until Thursday the labels had largely been generic warnings to “get the facts” with links to the voting hub. The direct language on the label addressing the claim was a new step.

Also on Thursday, the social network said it would ban any new political ads in the week before Election Day and would strengthen measures against posts that try to dissuade people from voting. Postelection, Facebook said it would quash any candidates’ attempts at claiming false victories by redirecting users to accurate results.

Facebook has become a key battleground for both Mr. Trump’s campaign and that of Joseph R. Biden Jr. The Trump campaign ran Facebook ads falsely accusing Mr. Biden of corruption. Mr. Biden’s campaign has criticized Facebook for allowing lies, while spending millions on ads to appeal to voters.

Thursday’s changes, a tacit acknowledgment by Facebook of its power to sway public discourse, was not enough to satisfy critics who said temporarily blocking ads would do little to reduce misinformation.

Separately, Twitter added a warning label to the president’s tweets on voting, saying that they violated its terms of service and its election integrity policies, but said that the president’s post would remain up as a matter “in the public interest.”

“As a result of the application of the notice, engagements with these tweets will be limited and their visibility will be reduced,” a Twitter spokesperson said, adding that people could retweet them with comments — but not reply, like or simply retweet them.

Credit…Chang W. Lee/The New York Times

Gerald Holmes, a forklift operator from Kenosha, Wis., was so passionate about the election four years ago that he drove people to the polls. But this year, Mr. Holmes says he is not even planning to vote himself.

The outcome in 2016, when Wisconsin helped seal President Trump’s victory despite his losing the popular vote and amid reports of Russian interference, left Mr. Holmes, 54, deeply discouraged.

“What good is it to go out there and do it?” he said. “It isn’t going to make any difference.”

As protests have unfolded across the country over the death of George Floyd and the police’s treatment of Black people, activists and Democratic leaders have pleaded with demonstrators to turn their energy toward elections in November.

A block party on Tuesday honoring Jacob Blake, the Black resident of Kenosha who was paralyzed after being shot by a white police officer, included voter registration booths near where the shooting occurred. Joseph R. Biden Jr. is scheduled to visit Kenosha on Thursday, two days after Mr. Trump appeared in the city in the wake of unrest over the shooting.

But people like Mr. Holmes reflect the challenges Democrats face as they try to channel anger over police violence into votes.

In interviews with more than a dozen Black residents of the Kenosha area, many said they were outraged over the shooting of Mr. Blake, but some said they had grown dispirited and cynical and that shooting showed that decades of promises from politicians have done little.

“Let’s say I did go out and vote and I voted for Biden,” said Michael Lindsey, a friend of Mr. Blake’s who protested after the shooting. “That’s not going to change police brutality. It’s not going to change the way the police treat African-Americans compared to Caucasians.”

During the block party near where Mr. Blake was shot, James Hall, the interim president of the Urban League of Racine and Kenosha, tried to get a young woman and man to register to vote.

“Does my vote really matter?” the woman asked, then answered herself, “I know my voice doesn’t count.”

“The people feel disengaged,” said Corey Prince, a community organizer. “They feel disenfranchised.”

Credit…Doug Mills/The New York Times

For decades, President Trump has sought to undermine opposition by sowing distrust and relying on conspiracy theories, leaving people uncertain about what to believe.

In the last week alone, Mr. Trump has reposted messages asserting that the real death toll from the coronavirus was only around 9,000 and not 185,000, talked cryptically about a planeload of “thugs” in black uniforms flying to Washington to disrupt the Republican National Convention and asserted without a shred of evidence that his Democratic opponent, former Vice President Joseph R. Biden Jr., was “on some kind of an enhancement” drug.

People who have known the president for years say one of his most sustained assaults, on the integrity of the 2020 election, is straight from tactics he used as a businessman in New York.

The president has said with no evidence that “millions and millions of ballots” have been sent to dead people and dogs and cats. He has floated the possibility of postponing the election because of the coronavirus pandemic — an idea swiftly shot down by his own party. And at the opening of the Republican National Convention in Charlotte, N.C., he asserted that mail-in voting “is going to be one of the greatest scams,” pushing a false argument about fraud.

Mr. Trump’s critics point out that as president he has never had more power to shape public opinion and bend outcomes to his will. Early indications suggest he has created significant doubt about the 2020 election: According to a recent NBC-Wall Street Journal poll, about 45 percent of voters do not believe that the election results can be counted accurately — a jump from 36 percent ahead of the 2016 election.

Asked about Mr. Trump’s behavior over decades, Judd Deere, a White House spokesman, did not respond directly. “The American people know they never have to wonder what the president is thinking or how he feels about a particular topic, which is one of the many reasons why they chose to elect him over the same old recycled politicians who just use the poll-tested talking points,’’ Mr. Deere said.

Credit…David Degner for The New York Times

The Department of Homeland Security warned federal and state law enforcement agencies on Thursday that individuals and groups allied with Russia have amplified allegations that mail-in voting could lead to “vast opportunities for voter fraud,” echoing a baseless claim that President Trump has made repeatedly.

The department said in the intelligence bulletin, “Russia Likely to Continue Seeking to Undermine Faith in U.S. Electoral Process,” that Russian state media and proxy websites have spread disinformation about mail-in ballots since March, claiming the system lacks transparency and procedural oversight, according to two law enforcement officials who reviewed the bulletin.

The people allied with Russia have also amplified claims that voters would not receive their ballots in time to cast their votes, according to the bulletin, which was first reported by ABC News.

“We assess that Russian state media, proxies and Russian-controlled social media trolls are likely to promote allegations of corruption, system failure and foreign malign interference to sow distrust in democratic institutions and election outcomes,” Homeland Security intelligence analysts said in the bulletin. The analysts wrote that they had “high confidence” in their assessment.

Mr. Trump has repeatedly made claims, without evidence, about widespread fraud in mail-in voting, even as his advisers have warned such comments scare his own supporters, among them older voters.

The distribution of the intelligence briefing on Tuesday follows an earlier revelation that the department had not yet published an intelligence briefing from July warning of attempts by entities supporting Russia to denigrate the mental health of Joseph R. Biden Jr., the Democratic presidential candidate. That bulletin also said agents of Iran and China had amplified criticisms of Mr. Trump’s mental health status, although the document focused a majority of its contents on the attacks by Russian allies on Mr. Biden.

Credit…Anna Moneymaker for The New York Times

A batch of polls released on Thursday reflected a rigidly divided electorate in three key states, with Joseph R. Biden Jr. holding onto his advantage but failing to break away from President Trump in the wake of the party conventions.

A Quinnipiac University poll of Pennsylvania voters showed Mr. Biden with an eight-point lead. But even as he held the upper hand there, the survey reflected that he had not yet won the full confidence of Pennsylvania voters: More than half said they saw Mr. Trump as the better economic steward. (An earlier version of this item misstated which candidate most Pennsylvania voters said they would prefer to lead them in a crisis. A slim majority chose Mr. Biden, not Mr. Trump.) In a Monmouth poll of the state released Wednesday, Mr. Biden had a slimmer, four-point edge.

Quinnipiac also released a new poll of Florida, where it found an even closer race: Mr. Biden’s advantage there was just three points among likely voters, a difference within the poll’s margin of error.

Monmouth released another poll on Thursday from North Carolina, showing a tight race there. Mr. Biden had 48 percent support among likely voters, while 46 percent backed Mr. Trump.

All three of the polls out Thursday demonstrated that the main question on Election Day will be voter participation, not persuasion. In both Florida and Pennsylvania, well over 90 percent of voters who selected a candidate said that their minds were made up, according to Quinnipiac. In North Carolina, Monmouth found 88 percent of voters who selected a candidate were firmly set in their choice.

There are some exceptions to the trend, however, particularly in groups that tend to express dissatisfaction with both candidates. Among voters under 50 in North Carolina, who favored Mr. Biden by a razor-thin three-point margin, 13 percent said they were undecided or planned to vote for a third-party candidate, considerably higher than for other age groups, according to the Monmouth poll. Third-party preference tends to drop significantly as Election Day draws nearer, suggesting that young voters could make the difference if they break one way or the other.

Florida voters can cast early ballots in person or by mail, and just 42 percent of likely voters said they planned to go to the polls on Election Day. Nearly a quarter said they would vote early in person, and another third planned to mail in their ballots. In Pennsylvania, where in-person early voting is not an option, three in 10 voters said they would vote by mail.

Credit…Gabriella Demczuk for The New York Times

Richard Trumka, the president of the A.F.L.-C.I.O., on Thursday morning accused President Trump of breaking his promises to bring more manufacturing and infrastructure jobs to working Americans.

They were some of Mr. Trumka’s strongest comments to date — and a recognition that even labor leaders who were willing to give Mr. Trump a chance four years ago are no longer open to finding common ground.

“The jobs he said were coming never came,” Mr. Trumka said during a virtual breakfast with reporters, hosted by The Christian Science Monitor. “Instead of rebuilding America, he’s torn it apart.”

Mr. Trumka’s denunciation of the administration’s policies affecting working Americans came a week after the president promised to turn America into the “manufacturing superpower of the world.” The Trump campaign still needs the support of white, working-class voters in states like Pennsylvania, Michigan and Wisconsin in order to win.

In his nomination acceptance speech last week at the Republican National Convention, Mr. Trump said that he would “cut taxes even further for hardworking moms and dads.” But on Thursday, Mr. Trumka blamed the president for a tax cut that benefited the rich and “accelerated the outsourcing of good-paying American jobs and worsened inequality.”

Mr. Trumka, a union leader who at the beginning of the Trump presidency was criticized by some for being open to an alliance with Mr. Trump, has since become an outspoken critic of the president. And in May, the A.F.L.-C.I.O. endorsed former Vice President Joseph R. Biden Jr.

Four years into the Trump presidency, Mr. Trumka said, “We’ve learned that working people cannot afford Donald Trump. We’ve learned that workers might not be able to survive another four years with Donald Trump. ”

He added: “After months of pandemic politics and generations of systemic racism, Trump is pouring gasoline on the fire. It is a transparent, ugly, last-ditch effort to scare some people into voting for him and scare others away from voting at all.”

Credit…Chang W. Lee/The New York Times

WAUWATOSA, Wis. — Outside Grace Lutheran Church in Kenosha Thursday, where Joseph R. Biden Jr. was inside addressing members of the community, Justin Blake said that his family would not rest until the officer who shot his nephew, Jacob Blake, and left him paralyzed, had been indicted and convicted.

“When all the cameras go away, I can’t stand my nephew back up,” he said, speaking through a megaphone. Mr. Blake said he believed Mr. Biden would be part of the “healing” of the country.

While he did not take part in the family’s meeting with Mr. Biden earlier in the day, Mr. Blake said he had talked to his brother, Jacob Blake’s father, who said he had found Mr. Biden to be “a hell of a guy.”

Neighbors living on a narrow side street next to the church took in the scene from porches or lawns, surveying the swarm of reporters, Secret Service agents and onlookers.

Calvin Cooks, 49, said he understood the anger over the police shooting of Jacob Blake on Aug. 23, but said he was also disturbed by the destructive nature of some of the protests that followed.

He said that he supported Mr. Biden and appreciated how the former vice president spoke on policing and issues of race.

Mr. Cooks said he himself was sprayed with Mace several weeks ago by a police officer as he tried to pull his family away from a shooting scene and a crowd that had grown angry with the police.

Still, he said, he thought that the officer who shot Mr. Blake might have been legitimately worried that he had been reaching for a weapon.

“I’d never say it was cool or good he shot him, but that man was thinking about his life,” Mr. Cooks said of the officer.

A few houses down, April Valdez was hanging a large Trump 2020 banner on her porch after taking it inside on a windy day.

Ms. Valdez said the demonstrations grew so destructive last month that she and her husband briefly sent their three young children out of the area, fearing they would be hurt. She was frustrated that the National Guard had not been sent in immediately.

“The fires, I think, could have been prevented,” she said. “Change-wise, I unfortunately think anything Democratic-handled at this point is going to put us further into destruction.”

Mr. Biden and his wife, Jill R. Biden, ended their trip Thursday afternoon with an unannounced stop. Sitting down with a small group of teachers and parents at a backyard picnic table in the Milwaukee suburb of Wauwatosa, they talked about education. The couple’s arrival surprised residents of the quiet, leafy neighborhood, and by the time they left about an hour later, hundreds of people flooded the sidewalks and lawns and broke into chants of “Let’s go, Joe!”

Chris and Karri Tait, donors to the Biden campaign, said they had only learned the night before that Mr. Biden might want to use their backyard for the meeting.

“We talked a lot about just funding mechanisms, what are the challenges the teachers are facing right now and how they’re going to overcome that,” Mr. Tait said. “It gives a lot of optimism of, if Joe is elected, that he’s going to make some changes.”

Credit…Scott McIntyre for The New York Times

President Trump’s call for people to test the integrity of the elections system by trying to vote both by mail and in person has created new headaches for state election officials, who are already dealing with the formidable task of holding an election during a pandemic.

Douglas A. Kellner, co-chairman of the New York State Board of Elections, accused Mr. Trump on Thursday of fueling concern in the minds of voters and, in doing so, adding more work to county elections boards already “stretched to the limit” by a presidential election and coronavirus.

“It’s hard to imagine how we could add any more stress to the system,” said Mr. Kellner, a Democrat.

Maggie Sheehan, a spokeswoman for Frank LaRose, Ohio’s secretary of state, a Republican, said, “Ohio voters are encouraged to choose one way to vote, as any additional effort to cast a ballot will not be counted and unnecessarily burdens election officials.”

And Jena Griswold, Colorado’s secretary of state and a Democrat, said, “2020 has been unprecedented in so many ways, but I never imagined that as secretary of state I would have to inform both the president and the U.S. attorney general that it is illegal to vote twice.”

That was after Attorney General William P. Barr suggested during an interview with CNN that he was not sure whether voting twice was illegal in North Carolina.

A group of Democratic senators on Thursday urged Treasury Secretary Steven Mnuchin to impose economic sanctions on individuals and government entities tied to Russia who are seeking to interfere in the general election.

In a published letter co-signed by Senator Ron Wyden of Oregon and Minority Leader Chuck Schumer of New York along with nine other senators, cited an assessment by American intelligence officials last month that said Russia was using a range of techniques to denigrate Joseph R. Biden Jr. and interfere in the 2020 election to help President Trump. Russia tried to sway public opinion ahead of the 2018 midterm election, but it did not successfully tamper with the voting infrastructure.

A statement last month by William R. Evanina, the director of the National Counterintelligence and Security Center, described the activities of Andriy Derkach, a member of Ukraine’s Parliament who supports Russia and who has been involved in releasing claims to undermine Mr. Biden’s candidacy. Intelligence officials have said he has ties to Russian intelligence.

“Congress has mandated a broad range of sanctions tools, and it is long past time for the administration to send a direct message to President Putin: The U.S. will respond immediately and forcefully to continuing election interference by the government of the Russian Federation and its surrogates,” the letter said. “There is virtually no national security threat more serious than that posed by those who would undermine confidence in, and the effective operation of, our democratic elections.”

A spokesman for the Treasury Department said the department does not generally comment on correspondence with Congress.

Credit…Doug Mills/The New York Times

House Democrats on Thursday called on the Office of Special Counsel, the independent agency charged with enforcing a law against partisan political activity by government employees, to investigate what they described as “multiple, repeated violations” of the statute, the Hatch Act, during last week’s Republican convention.

“Throughout the convention, administration officials repeatedly used their official positions and the White House itself to bolster President Trump’s re-election campaign,” Democrats on the House Committee on Oversight and Reform wrote in a letter to the office. “We are alarmed that President Trump and some senior administration officials are actively undermining compliance with — and respect for — the law.”

Among the examples: Video of a pardon and naturalization ceremony featuring Chad Wolf, the acting Secretary of Homeland Security; a speech by Secretary of State Mike Pompeo while he was on official travel in Jerusalem; a segment in which a federal housing official interviewed New York City tenants who later said they were not told their testimonials would be used at the convention; and multiple other segments filmed on federal property, including an elaborate ceremony on the White House grounds.

The president and vice president are exempt from the Hatch Act, a 1939 law limitng political activities by federal employees, but it applies to the rest of the administration. Still, despite multiple violations the O.S.C. has found under Mr. Trump and past presidents, the act has rarely been enforced. Penalties for violating it include removal from federal employment and fines up to $1,000.

The Democrats also cited a New York Times article that reported that Mr. Trump had “enjoyed the frustration and anger” he elicited by holding political events on the White House grounds and that he had “relished the fact” that he could not be stopped, according to Mr. Trump’s aides.

A Republican candidate in Texas who is locked in a tight House race has come under scrutiny for campaign ads run this summer that show him shaking hands with and walking alongside a campaign volunteer dressed as a border patrol agent.

The candidate, Tony Gonzales, a former Navy cryptologist, narrowly won the Republican primary and will face Gina Ortiz Jones, a Democrat and a former Air Force intelligence officer, in November. They are vying for the seat of U.S. Representative Will Hurd, who announced last year that he would retire. The 23rd District stretches along the southwest border of the state, from San Antonio to El Paso.

The ads, which were first spotlighted by The San Antonio Express-News, were posted on Facebook in June and July during Mr. Gonzales’s primary race against Raul Reyes and at least one ran on TV. They sought mainly to attract conservative voters by highlighting Mr. Gonzales’s ties to President Trump and his desire to, as one ad put it, “finish the wall.”

In a news release Thursday that flagged the Express-News report, Sharon Yang, a spokeswoman for the Jones campaign, said Mr. Gonzales was on “the wrong side” of the border wall issue.

“South and West Texans overwhelmingly oppose President Trump’s wasteful border wall that is taking private land from families and raiding funding from military bases in this district,” she said.

Matt Mackowiak, a Gonzales campaign spokesman, confirmed that the person in the ads wearing what appeared to be the border patrol’s signature green uniform and patches was not an actual agent.

In a statement, the campaign’s lawyer stressed that government emblems and symbols can be used for the purpose of political debate and “the campaign remains confident that its advertisement complies with all legal and ethical standards.”

“Tony Gonzales has toured the southern border with courageous border patrol agents to see firsthand the security challenges that we face,” Mr. Mackowiak said in his own statement.

A spokesman for Customs and Border Protection said only that the agency was “looking into this issue.”

12 Key Characteristics for an eCommerce B2B Website

The standard model of the shopping cart does not work for the B2Bs. Here, in this article, you can easily find a list of the essential functions to avoid failure and create a successful e-commerce website from your B2B.

Very often, when we hear the words “online shop”, this creates the images of different e-commerce platforms that sell products such as shoes, jewelry, stationery, or grocery stores. If it is unquestionable that the B2C companies compose an essential part of e-commerce shops, B2B portals slowly emerge to dominate the online sales.

Today, more and more B2B customers are making their purchases online. A study from Forrester indicates that more than 74% of the B2B customers do some online research before buying something. Customers searching first proves the everyday increasing levels of B2B portals. The needs and requirements of the customers are very different for B2C and B2B enterprises.

Therefore, B2B enterprises should change how they design and display their online shops to their customers. The standard model of the shopping cart does not work for the B2Bs. Here, in this article, you can easily find a list of the essential functions to avoid failure and create a successful e-commerce website from your B2B.

Customized Pricing

Unlike the B2C portals that have uniform pricing for all the customers, the B2B enterprises propose different pricing—depending on the client or the quantity that is bought. The wholesale purchases offer you higher discounts compared with a smaller amount of purchases.

Also, B2B enterprises offer group prices for specific products, quantity discounts, etc.

Your site should be designed to display the right price for different customers. Once a particular customer logs in, he must access the price for him, depending on the quantity ordered and other discounts.

Advanced Payment Method

We agree that the process for B2B orders is more complicated than B2Cs. More complicated means that the shopping cart model should be the most appropriate. Your e-commerce website design company needs to design your site to make it easier to pay and reduce the basket desertion.

The payment process must not only be streamlined but also help to remember some other factors such as:

  • Customers must be able to transfer their shipping costs to their delivery partners accounts (such as FedEx, USP, etc.)
  • Customers must be able to retrieve their payment information from previous orders.
  • They must have the possibility to pay for orders through different payment methods such as a line of credit, a purchase request, commercial credit, etc.
  • It should be possible to repeat an order previously placed and not to research individual products again.

Wholesale Purchases

Very often, B2B customers place large orders. In such cases, searching for all the products in your online catalog is tedious and time-consuming. To simplify the task, you can provide your consumers with a form for a bundled order.

When designing a group order form, ensure that the customers can add products only with the part number or the SKU. Also, they should be able to specify the desired amount for each item. Once the bundled order form is completed, it should take the customer directly to the payment page.

Minimum Amount of Order

Making the minimum order amount is another feature that makes a difference between B2C e-commerce websites and B2B portals. Very often, B2B companies sell products only in quantities of wholesale. Customers must order a specific minimum amount of order so it can be completed.

Degressive Discounts for the Wholesale Purchases

B2B customers often make bulk purchases. In this way, instead of listing products that are frequently sold as individual items, you can also list them as packages, boxes, cartons, or even pallets. The labeling designations will make things easier for the customer as well for you too. If a customer is looking for nails, he can easily add them to the basket in a box instead of 100 individual nails.

In addition, B2B companies offer different levels of discounts to customers depending on the number of products ordered. For example, offering the same value to a customer who buys 10 air filters and a buyer of 1000 air filters makes no sense. Your online store must be able to accept different discounts depending on the quantity ordered.

Restricted Access

Some B2B companies only allow pre-registered customers or resellers to order products from their online stores. For example, if your business only sells through a network of resellers, your website should be designed so that only authorized resellers can access it.

When choosing an e-commerce platform, make sure it can protect with a password your entire site and restrict access to customers.

You can also restrict access to specific parts of the site to non-registered customers. Restricting a site area means that the home page and product line are accessible to everyone, but only authorized retailers can buy from your online store.

Improved Mobile Experience

The mobile shopping experience is growing. Today, more and more B2B customers are looking for professional products on their mobile. As mentioned above, almost 94% agree that they start looking for commercial services or products on their smartphones. Offering your site on mobile means that mobile-friendly sites are no longer an additional feature. They are essential to provide your customers with the best user experience.

When designing a responsive mobile e-commerce store, you need to look for advanced features such as:

  • Auto-entry – this allows your clicks to fill out forms using information already stored on their device. This way, they don’t have to enter repetitive keys to get standard information such as name, address, email address, phone numbers, etc.
  • A clear call to action button – with this button, customers can contact your customer support team with just one click.

Make sure your site has fast loading times and offers an optimized experience on all screens.

Intuitive and User-Friendly Searches

One of the best ways to increase the conversion rate on the website is to improve the search functionality of your B2B e-commerce portal. Customers should be able to locate the items they are looking for without going through your entire list of products.

Being user-friendly and accessible means that you need more than just a search bar on your website. Here are some improved search features to provide to your site:

  • Search filters – customers should locate a product or refine default search results by varying attributes such as product size, color, availability, etc.
  • Long-haul searches – your e-commerce portal must be able to manage and interpret long-trailed semantic searches. Studies show that the dropout rate decreases significantly (40% to 2%) with a semantic approach than research.
  • Auto-entry – while this may seem like a simple feature, it does indeed have a considerable impact. Auto-entry not only saves consumers time but also makes them buy other products that they haven’t thought of buying before.

Flexible Payments

In the B2C world, getting paid immediately before processing an order is very important. B2B companies, on the other hand, do not operate that way. There is a stable relationship between the company and the customer, and very often, companies give their customers a line of credit. A line of credit leads to the need for flexible payment options.

Flexible payments add to the overall user experience. While different payment methods are very convenient for B2C online stores, they are incredibly critical for B2B stores. While offering several payment methods (uppler dot com) on your B2B e-commerce, be sure to provide options for offline modes as well as the usual ones such as credit cards, transfers, etc.

An example of an offline payment method is to complete the order and then allow the customer to pay for it using the order number within 30 days of the end of the transaction.

Available Customer Support

To make sure you increase conversion rates, you need to provide more than a “Contact Us” page on your e-commerce portal. You can add the “Ask for a free quote” form or add a live chat service to provide your customer with real-time customer support.

Real-Time Inventory Updates

This is an indispensable feature of all B2B e-commerce portals. Only with real-time inventory updates, you can provide your customers with the most accurate information.

If a consumer completes an order, only to find that you don’t have the required products, they not only lose confidence in your brand, but you also end up losing potential repeated sales and even the customer.

Real-time inventory updates have far-reaching implications beyond your online box. You get a clear picture of your overall inventory, and this helps streamline your operations, especially if

you run a business model just in time.

Advanced Personalization

Very often, B2B electronic stores fail because they are rigid and designed on the basis of a standard model. Your B2B e-commerce store should be tailored to the specific needs of your business and not the other way around if you want to take advantage of your e-commerce business.

This starts with choosing the right e-commerce platform that meets your specific needs.

Last Thoughts

The launch of a successful B2B e-commerce store is not possible overnight. You need to choose the right platform and provide your customers with advanced and additional features to make sure that it works the way you want it to work.

While this list of B2B e-commerce themes is essential for your business to stand out from your competitors, some of them may not apply to your industry. Make sure you choose a reputable B2B platform solution that understands your business and offers you the best solution.

Image Credit: ketut subiyanto; pexels

023482409581a6d9f7fdb6c3c8fdc595?s=125&d=mm&r=g - 12 Key Characteristics for an eCommerce B2B Website

Zoe Kahn

In charge of Marketing at Uppler. A digital firm selling the most complete all-in-one solution for creating B2B platforms. My background is fully digital and my objective is to help people understand how this new trend can help to develop their business.

Ecommerce: The Essential Components Your Site Needs to Turn Visitors Into Buying Customers

Making sure your brand’s website is living up to its fullest potential should be at the top of any ecommerce leader’s to-do list. 

Making sure your brand’s website is living up to its fullest potential should be at the top of any ecommerce leader’s to-do list.

We’ve all been there. You head to a company’s website to check out a product or service offering and while the website may avoid the dreaded slow page-load, it’s not exactly a wealth of information. A website that is poorly designed or just plain lackluster isn’t doing your brand any favors and certainly won’t entice customers to conduct their business with you.

There’s no shortage of articles on the web of how to attract more website traffic, and while a strong SEO strategy truly is essential, it’s too easy to overlook what it is that keeps people coming back. After all, your business would prefer regular visitors to its website rather than someone who visits once and never again, right? (Of course, you would!)

Related: Building an Ecommerce Website: 8 Technical Aspects You Need to Know

Everyone knows that ecommerce has been on the rise for years, but nobody expected 2020 to turn out the way it has, and in relation to the topic at hand, its impact on ecommerce. According to TechCrunch, ecommerce sales in April jumped nearly 50 percent. While that jump didn’t continue to climb at such a rapid rate in the following months, this year is expected to see an overall jump in ecommerce sales of 18 percent. With those kinds of numbers, making sure your brand’s website is living up to its fullest potential should certainly be at the top of any leader’s to-do list.

Long story short, if customers don’t have a pleasant experience on your website and find it to be of value, they won’t give you their business. Which is why entrepreneurs and business owners should be asking themselves: “What’s my website offering to the customer?

Customers want to learn something when they visit

The reason you’re on this article is the same reason visitors come to your brand’s website — to hopefully learn something. That could be as simple as your business’s contact information. However, your chances of turning a website visitor into an actual customer are going to substantially increase if you teach them something of real value. What products or services do you offer? What separates you from the competition? What new industry insights or developments should potential customers know about?

Related: What Comes Next for Ecommerce and Digital Retail?

Don’t make the mistake of simply thinking of this as marketing, what your website should be providing is insight and context. Take for example furniture. You could simply create website marketing that highlights the appeal of a leather couch, but a more effective strategy would be a buying guide that offers both the advantages and disadvantages of a leather couch compared to one with fabric upholstery. Customers who are more educated are going to make a wiser purchase decision, which in turn, is going to increase the likelihood they’re happy with their choice and your business.

If customers don’t learn something visiting your website (or at least feel it was worth their time) they won’t be back. So teach them something.

Don’t let a lack of customer support result in a lack of customers

The rise of ecommerce is due in large part to the convenience it offers, and a big part of the equation to factor in is customer support. If your business makes it difficult for visitors to reach out and make contact, then it’s really shooting itself in the foot. Studies have shown that 89 percent of consumers would take their business elsewhere within a week if they received poor customer service. Avoiding that starts with offering complete contact information: email, social media channels, phone number, and yes, a physical address. Reliable contact information is one of the things consumers demand on a business website, so do your brand a favor and provide it.

Companies should also consider using live chat to provide 24/7 support to visitors. Most businesses probably don’t have the manpower to operate an in-house customer support team around the clock, but artificial intelligence has come a long way in recent years. Providing AI customer service can also help keep track of recurring issues visitors may be having and provide valuable feedback for customer support managers.

Wow them, but don’t overwhelm them

Imagine if you walked into a brick-and-mortar store (remember those?) and all the products were haphazardly tossed all over the place, no signage, no organization, just as much stuff as possible randomly scattered about. You’d probably do a 180 and move on to someplace else. That’s exactly the sort of thing that potential customers are going to do if your website tries to cram too much onto a single page — especially if it’s the ever-so-important homepage.

Related: 10 Tools to Help Your eCommerce Business Get off the Ground 

Take Apple for example. Its website is incredibly clean with large images that pop. It wows the visitor without overwhelming them. Even the copy is kept rather minimal and crisp, yet folks can still easily find what they’re looking for with the navigation bar at the top.

One of the best things you can offer visitors to your brand’s website is visual appeal. We’re visual creatures and our brains process images infinitely faster than text — around 60,000 times faster. Even if your business offers as many products as Amazon, you don’t want to make the mistake of bombarding visitors to your website with all of them at once. Let a few kew images do the talking.

The right SEO strategy is key for driving traffic to your business’ website, but if visitors are disappointed once they get there, they’ll never return. In this day and age, a brand’s website is often its most powerful selling tool, so take the necessary steps to ensure that it offers real value to existing and new customers.

Hacking on Bug Bounties for Four Years

Intro & Motivations Findings Analysis Collaboration Methodology I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active…

I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active bug bounty hunter who has a good understanding of what a bounty program expects, or will pay out for, you have a major disadvantage compared to someone who does have this knowledge. I hope through this blog post, I can demystify the sort of issues bug bounty programs pay for.

The last blog post I did in this series was around four years ago, 120 days, 120 bugs. In the last four years, a lot has happened. I moved to Europe for six months, I moved interstate in Australia twice, I won a live hacking event, I co-founded a company and helped build an attack surface management platform with a team of people I consider family.

Unlike my previous blog post, I did not set myself a goal to find a bug a day. Instead, I participated in bug bounties whenever time allowed. There were many months where I found nothing at all, which often terrified me when it came to evaluating my self worth as a hacker. I also admitted to myself, that I might be a good hacker, but there is always going to be a better hacker out there, and I’ve made my peace with that as a hyper-competitve person.

If you don’t have an excellent understanding of fundamental application security attacks and weaknesses before you approach bug bounties, in my opinion, you are wasting your time. Practice and learn more here.

If you’re looking for a paid, more extensive resource, check out and practice with PentesterLab.

Participating so heavily in bug bounties has given us the knowledge at Assetnote about what security teams actually care about. It’s the reason we can maintain high signal when we are continuously finding exposures.

My primary motivation for this blog post is to educate the masses on what bug bounty programs are paying out for.

For example, would you know that you could submit a dangling EC2 IP (subdomain pointing to an EC2 IP that is no longer owned by the company) as a bug report without reading the proof in the pudding below? I’ve been paid for this by programs, so clearly they value this sort of information.

Below are all of my findings for the last four years. I’ve redacted information where necessary, but by reading the titles, it should give you a good understanding of what I was reporting to programs.

2020-09-02 14:04:11 UTC[redacted] Hosted Zone Takeover$1,000.00
2020-07-16 18:39:22 UTCSpring debugging endpoints exposed leading to disclosure of all secrets via heapdump on [redacted] & Account takeover by Trace$2,500.00
2020-06-30 22:54:07 UTCBlind SSRF on [redacted] through invoicing API – access to internal hosts$60.00
2020-06-10 13:53:43 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-10 13:24:10 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-10 13:21:57 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-08 14:28:05 UTCAmazon S3 Subdomain Hijack – [redacted]$256.00
2020-06-08 05:29:58 UTCRoute53 Hosted Zone Takeover of [redacted]$500.00
2020-06-05 16:27:42 UTCAdmin panel for Cisco IP Conference Station CP-7937G exposed on the internet on [redacted] IP ranges$400.00
2020-06-03 21:07:51 UTCPre-auth Blind MSSQL Injection affecting [redacted]$1,024.00
2020-06-03 14:18:24 UTCPre-auth MSSQL Injection affecting [redacted]$1,024.00
2020-06-02 15:28:50 UTCPre-auth SQL Injection affecting [redacted]$1,024.00
2020-06-02 15:26:58 UTCRCE via arbitrary file write and path traversal [redacted]$1,024.00
2020-06-02 15:25:08 UTCRCE via arbitrary file write and path traversal [redacted]$1,024.00
2020-05-18 10:12:38 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:11:58 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:06:22 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:05:20 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-11 18:47:54 UTCRoute53 Hosted Zone Takeover of [redacted]$100.00
2020-05-11 14:59:23 UTCAccount takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover)$2,500.00
2020-05-11 14:31:18 UTCAccount takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover)$2,500.00
2020-05-07 01:47:49 UTCView all metadata for any [redacted] IDOR [redacted]$1,000.00
2020-04-29 22:58:57 UTCIDOR view all [redacted]$4,000.00
2020-04-29 22:57:55 UTCIDOR view the [redacted]$2,500.00
2020-04-24 18:19:23 UTCSubdomain takeover of [redacted] through Heroku$300.00
2020-04-24 18:18:45 UTCSubdomain takeover of [redacted] through Heroku$300.00
2020-04-23 19:45:04 UTCAbility to horizontal bruteforce [redacted] accounts by abusing [redacted] sign up flow$500.00
2020-04-22 17:44:29 UTCView all metadata for any [redacted] IDOR [redacted]$500.00
2020-04-22 17:42:51 UTCIDOR view the [redacted] for any [redacted] for today [redacted]$500.00
2020-04-22 17:42:06 UTCIDOR view all [redacted] for a [redacted] [redacted]$500.00
2020-04-06 19:13:19 UTCFacebook – Payout For [redacted]$5,000.00
2020-03-07 15:12:24 UTCAccessing Querybuilder on [redacted] to gain access to secrets$3,000.00
2020-02-25 15:02:20 UTCSubdomain takeover of [redacted] via Amazon S3$750.00
2020-02-20 23:01:58 UTCHTML injection, DOS of email receipts and potentially template injection within [redacted] via “Expense Info” section$500.00
2020-02-18 14:45:40 UTCAdmin account bruteforce via [redacted]/libs/granite/core/content/login.html$500.00
2020-02-15 12:24:57 UTCBlind XSS via registering on [redacted]$500.00
2020-02-04 03:45:38 UTCHTML Injection in email when contributing to a [redacted]$700.00
2020-01-21 17:13:58 UTCAbility to attach malicious attachments (of any name and of any content type) to [redacted] support staff via [redacted]$2,000.00
2020-01-15 11:41:59 UTCNo authentication required to view and delete Terraform locks at [redacted]$250.00
2019-12-12 16:25:11 UTC[redacted] Webhook URL + object leaked in JavaScript on [redacted]$3,000.00
2019-11-21 22:15:20 UTCAWS & Screenhero JWT Credentials from [redacted] not rotated, still working$1,000.00
2019-10-17 13:44:23 UTCRCE on [redacted] via IBM Aspera exploit leading to compromise of secure file storage$1,000.00
2019-10-15 14:29:25 UTCSSO bypass on [redacted] leading to access of internal documents and portals$250.00
2019-10-11 18:07:51 UTCAdmin access to [redacted] via guessing credentials$1,500.00
2019-10-11 18:06:15 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$250.00
2019-09-30 16:56:50 UTCMultiple server-side issues affecting [redacted] (SSRF, admin panels)$2,660.00
2019-09-25 22:10:00 UTCRead any [redacted] details using UUID – IDOR in [redacted]$1,000.00
2019-09-10 16:17:59 UTCSSRF in [redacted]$2,000.00
2019-09-03 15:28:36 UTCSSRF in [redacted]$17,900.00
2019-08-29 00:43:00 UTCBypassing email whitelists for organisation signup flows on [redacted]$250.00
2019-08-09 05:15:44 UTC[Pre-Submission] SSRF in [redacted] (Iframely)$2,970.30
2019-07-29 16:32:59 UTC[Bypass] SSRF via [redacted] leads to internal network access, ability to read internal JSON responses$23,000.00
2019-07-24 02:52:42 UTCPHPInfo exposed at [redacted]$100.00
2019-07-24 02:46:02 UTCSSRF on [redacted] leading to AWS breach via security credentials$5,000.00
2019-07-08 14:44:23 UTCRemote command execution on production [redacted] (via tsi parameter) – CVE-2017-12611$2,000.00
2019-06-12 17:42:53 UTCUsername/Password for Aspera and other secrets leaked in [redacted]$1,500.00
2019-06-12 17:42:08 UTCSSO/Authorization bypass for APIs hosted on [redacted]$1,500.00
2019-06-12 14:45:09 UTCRemote Code Execution (many endpoints) – [redacted]$4,500.00
2019-06-10 17:29:35 UTCExtract email, dob, full address, federal tax ID and other PII for all leads in [redacted]$1,800.00
2019-06-10 16:53:22 UTCObtain email, mobile of customers of [redacted] by iterating through Lead IDs via the API$12,600.00
2019-06-10 16:52:40 UTCAbility to pull out all opportunities (IDOR) extract PII for customers of [redacted]$12,600.00
2019-06-07 18:51:24 UTC[redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?)$2,500.00
2019-06-07 18:17:31 UTCBlind SSRF on [redacted] through RPC call to checkAvailableLivechatAgents$62.50
2019-06-07 18:07:22 UTCHTML injection in emails when adding a reviewer to [redacted]$125.00
2019-06-07 17:42:09 UTC[IDOR] Impersonating an [redacted] employee via /api/readHandler on [redacted]$1,500.00
2019-06-07 15:33:31 UTCExtract mobile number and [redacted] using only an email address, for any [redacted]$750.00
2019-06-07 14:36:01 UTCZendesk Ticket IDOR / Ability to enumerate IDs via [redacted]$125.00
2019-06-07 14:24:15 UTCExtract mobile number and [redacted] using only an email address, for any [redacted] user$750.00
2019-06-07 14:11:20 UTCHTML Injection in [redacted] receipts if printed from [redacted]$100.00
2019-06-07 13:56:46 UTCAbility to access the airwatch admin panels and APIs in [redacted]$1,000.00
2019-06-07 13:21:31 UTCIDOR on [redacted] allows you to access [redacted] information for any [redacted] user$250.00
2019-06-07 10:13:20 UTC[redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?)$15,000.00
2019-05-22 19:33:27 UTCSQLi and Authentication Bypass in [redacted]$4,500.00
2019-04-29 14:14:42 UTCReflected XSS in [redacted]$500.00
2019-04-29 14:14:29 UTCSSRF in [redacted]$1,500.00
2019-04-25 07:33:22 UTCLocal file disclosure through Rails CVE-2019-5418 in [redacted]$100.00
2019-04-19 02:28:54 UTCSSRF – [redacted]$4,950.00
2019-04-19 02:28:35 UTCSSRF at [redacted] via the ‘url’ parameter$4,950.00
2019-03-29 11:23:14 UTCAWS S3 secrets leaked in [redacted] meeting connector giving attackers write access to [redacted]$364.50
2019-03-27 18:41:51 UTCSubdomain takeover of [redacted] through Heroku$750.00
2019-03-20 17:08:11 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:29:00 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:28:49 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:28:35 UTCCVS Repos being leaked on [redacted], including username and password$750.00
2019-03-18 15:35:10 UTCForm on [redacted] leaks username and password for [redacted]/Wowza Steaming Server$500.00
2019-03-15 15:08:35 UTCExtract BCrypt pinCode, associated phone numbers and emails for any [redacted]$5,000.00
2019-03-14 17:51:32 UTCMultiple IDORs on [redacted]$500.00
2019-03-14 17:51:18 UTCMultiple persistent XSS vulnerabilities in [redacted]$1,000.00
2019-03-14 17:51:02 UTCAuth bypass on [redacted] & [redacted] allowing for full access to anonymous users (including private streams)$1,000.00
2019-03-14 17:50:45 UTCSlack Webhook Tokens leaked within JavaScript on [redacted]$500.00
2019-03-11 23:06:12 UTCAbility to send arbitrary Subject + HTML emails as verified [redacted]$900.00
2019-03-04 21:58:43 UTCWP-Engine Subdomain Takeover of [redacted]$500.00
2019-03-04 19:04:59 UTCExtract BCrypt pinCode, associated phone numbers and emails for any [redacted]$500.00
2019-02-22 18:41:36 UTC[redacted]$8,000.00
2019-02-13 17:59:01 UTCAbility to close down any [redacted] using an IDOR in [redacted]$8,000.00
2019-02-07 00:05:37 UTCHTML injection in the [redacted] signup flow on [redacted]$500.00
2019-01-30 16:59:57 UTCVHost header hopping on [redacted] allowing us to access MSSQL DB explorer$1,900.00
2019-01-30 16:14:57 UTCRCE on [redacted] via ObjectStateFormatter deserialization$4,000.00
2019-01-30 16:13:00 UTCZIP file in webroot containing all source code and database of [redacted]$3,000.00
2019-01-29 21:52:20 UTCMultiple reflected XSS on [redacted]$500.00
2019-01-29 17:54:05 UTCSensitive data exposure in debug file via [redacted]$100.00
2019-01-23 16:09:32 UTCGit repo’s disclosed on multiple [redacted] and [redacted] subdomains$600.00
2019-01-22 23:02:09 UTCCritical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions$4,500.00
2019-01-07 21:02:45 UTCSSRF via [redacted] leads to internal network access, ability to read internal JSON responses$23,000.00
2018-12-06 15:58:56 UTCReflected XSS in [redacted]/pay/alipay/wap.php$400.00
2018-12-06 15:37:27 UTCReflected XSS in the JavaScript context on [redacted] via `http_referer` parameter$400.00
2018-11-30 15:35:15 UTCDjango debug mode being enabled leads to Postgres password leaked on [redacted]$500.00
2018-11-30 15:20:07 UTCAbility to upload SWF files on [redacted] via CKFinder$400.00
2018-11-30 15:08:41 UTC[redacted] discloses sensitive information leading to customer data access via APIs$800.00
2018-11-30 13:46:33 UTC[redacted] Newsroom CMS (China) source code leaked on GitHub, with a WeChat secret – Leads to RCE on contractors machine$200.00
2018-11-29 17:41:02 UTCBypassing email whitelists for organisation signup flows on [redacted]$500.00
2018-11-29 15:29:00 UTCBlind MSSQL Injection in [redacted]$2,000.00
2018-11-28 15:02:39 UTCAlipay Merchant RSA Private Key disclosed on [redacted]$200.00
2018-11-21 16:58:25 UTCRecursively obtain [redacted] UUIDs by exploiting [redacted]$1,000.00
2018-11-20 22:19:04 UTCAPI under [redacted] allows unauthenticated users to send messages to [redacted] Slack$100.00
2018-11-15 10:13:13 UTCExternally available MSSQL server for [redacted] reveals a large amount of data + local file read$400.00
2018-11-02 20:18:53 UTCAbility to adjust your own [redacted] order price [redacted]$1,500.00
2018-10-24 14:40:13 UTCArbitrary File Upload Leading to Persistent XSS on [redacted]$400.00
2018-10-24 10:36:13 UTCExtract the details of every [redacted] User (name, openid, unionid, mobile, nickname, province, city, gender, bday) via [redacted]$400.00
2018-10-22 14:26:23 UTCCritical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions$500.00
2018-10-12 18:56:47 UTCUnauthenticated XXE on [redacted]/OA_HTML/lcmServiceController.jsp$166.67
2018-10-06 18:26:10 UTCPhantomJS SSRF with ability to read full response via [redacted] AWS$500.00
2018-09-30 00:29:08 UTCMultiple issues with [redacted] (SSO bypass, Git repo with employee credentials, and broken application logic)$2,000.00
2018-09-03 09:55:32 UTCMultiple instances of error based MSSQL injection on `[redacted]` with access to 30 databases$5,000.00
2018-09-03 09:15:04 UTCRCE through arbitrary file upload via [redacted]/cms/Handler/kvimgupload.ashx$3,000.00
2018-09-03 09:13:37 UTCRCE through arbitrary file upload via [redacted]/staff/cms/Handler/toolsupload.ashx$3,000.00
2018-09-03 09:03:06 UTCMSSQL injection via [redacted]/incentive/report.aspx$2,000.00
2018-08-30 17:52:47 UTCDirectory listing on [redacted] leads to Russian [redacted] PII and internal documentation/slide deck disclosure$1,000.00
2018-08-28 07:07:34 UTCHighly sensitive repo’s containing internal [redacted] application source and databases with over ~700 emails leaked$800.00
2018-08-20 13:01:40 UTCServer variables leaked on [redacted]/servvar.asp, also allowing for the ability to steal HTTPOnly cookies$400.00
2018-08-14 17:08:24 UTC3rd party subdomain hijack – EC2 IP of [redacted]is no longer controlled by Salesforce$62.50
2018-08-13 18:25:52 UTCDOM based XSS on [redacted] (works on all browsers)$125.00
2018-08-12 07:04:32 UTC[First 30] Blind SSRF at [redacted]/handle_pasted_images via fileURLs$375.00
2018-08-10 06:36:30 UTC[First 30] Accessible ca and secrets.enc file exposed on VPN – [redacted]$1,250.00
2018-08-10 02:11:48 UTC[first 30] Subdomain takeover [redacted]$555.00
2018-08-09 08:08:16 UTCAbility to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID$1,000.00
2018-08-09 07:39:29 UTCAbility to bruteforce any [redacted] dashboard user without any rate limiting$500.00
2018-08-09 05:56:38 UTCLeaked promotion codes (including internal employee promotion codes) and employee UUID’s (containing payment profiles)on [redacted]$1,000.00
2018-08-09 05:49:26 UTCAbility to obtain payment profiles and sensitive information of any [redacted] user if you know their UUID$1,000.00
2018-08-09 05:47:46 UTCAbility to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID$2,000.00
2018-07-26 16:21:23 UTCReflected XSS on Jplayer.swf located on the [redacted] owned S3 bucket [redacted]$250.00
2018-07-19 18:46:43 UTCPOST based XSS via [redacted]/api/utils/signup$300.00
2018-07-11 22:48:23 UTC(Potential) IDOR in `/api/[redacted]` via [redacted]$500.00
2018-07-11 22:44:36 UTCAbility to enumerate [redacted] via `/api/[redacted]` on [redacted]$2,000.00
2018-07-06 06:53:19 UTCIncentives administration panel is accessible without auth, revealing a large number of users registered on [redacted]$800.00
2018-07-06 06:47:06 UTCRCE on [redacted] through arbitrary file upload$3,000.00
2018-07-06 06:40:07 UTCAuth bypass leading to administrative access to [redacted]/locationcms/ (can modify/delete/add anything)$800.00
2018-07-06 06:31:23 UTCMSSQL injection via [redacted]/locationcms/Template/StoreList.aspx$2,000.00
2018-07-02 12:08:16 UTCCritical issues on [redacted] (database credentials, entire application source code leaked and SQLi)$800.00
2018-06-28 20:17:38 UTCExtract payment method used (email or last 4 card no) through [redacted]$500.00
2018-06-22 15:48:11 UTCMultiple full-response SSRFs on [redacted] API `/api/utils/download-file` leading to internal access to [redacted] assets$3,250.00
2018-06-22 15:47:31 UTCMultiple full-response SSRFs on [redacted] API `/api/partner/[redacted]` leading to internal access to [redacted]$625.00
2018-06-16 19:14:30 UTCFacebook Submission [redacted]$500.00
2018-06-16 17:56:17 UTCFacebook Submission [redacted]$4,000.00
2018-06-16 17:55:00 UTCFacebook Submission [redacted]$5,000.00
2018-06-16 15:54:20 UTCFacebook Submission [redacted]$500.00
2018-06-16 15:10:50 UTCFacebook Submission [redacted]$500.00
2018-06-16 14:56:58 UTCFacebook Submission [redacted]$500.00
2018-06-16 14:38:05 UTCFacebook Submission [redacted]$3,000.00
2018-06-16 13:47:59 UTCFacebook Submission [redacted]$5,000.00
2018-06-16 13:27:27 UTCFacebook Submission [redacted]$500.00
2018-06-13 21:24:58 UTCStealing Zendesk admin credentials for [redacted] via [redacted]$2,250.00
2018-06-13 21:21:41 UTCAbility to receive a support call with the identity of another [redacted] store using an IDOR in [redacted]$1,500.00
2018-05-31 13:02:19 UTCIncorrect implementation of cloudflare on [redacted]$500.00
2018-05-26 17:51:18 UTCSSRF on [redacted] allows for access to internal hosts [redacted]$1,000.00
2018-05-26 16:52:38 UTC[first 30] – Stored XSS on [redacted] within the Roles dialog$1,206.00
2018-05-26 13:59:34 UTCSSRF on [redacted] allows for access to internal hosts [redacted]$1,728.00
2018-05-26 12:40:45 UTC[first 30] – EC2 IP of [redacted] is no longer controlled by [redacted]$216.00
2018-05-26 11:45:03 UTC[first 30] – Stored XSS on [redacted] within the Roles dialog$125.00
2018-05-26 09:10:39 UTCAbility to bruteforce the password of a current user without locking them out by using an active session$125.00
2018-05-25 13:34:24 UTC[redacted] owned Cisco 3750 on the external internet – bruteforcable via Telnet/SSH/HTTP [redacted]$250.00
2018-05-25 13:33:35 UTCTwo wordpress administration panels for [redacted] on WPEngine [redacted]$400.00
2018-05-23 21:59:17 UTCAWS secret key and other secrets (sessions) leaked on [redacted]$500.00
2018-05-02 12:35:46 UTCServer-side source code disclosed on [redacted]$250.00
2018-04-20 13:29:13 UTCExposed Rabbit-MQ administration panel located at [redacted]$250.00
2018-04-11 22:41:51 UTCMultiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed$3,750.00
2018-04-05 21:07:29 UTCSensitive APIs discovered on [redacted] requiring no auth leading to AWS cloud data and user leakage (20k staff details leaked)$15,000.00
2018-04-05 21:06:52 UTCPostgres SQL Injection on [redacted] leading to potential AWS cloud account takeover$15,000.00
2018-03-23 22:29:19 UTCSecrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted]$9,500.00
2018-03-22 15:33:20 UTCDjango admin panel exposed at [redacted]$250.00
2018-03-16 17:32:47 UTCMultiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed$500.00
2018-03-09 17:01:55 UTCArbitrary origins trusted when making authenticated API calls to [redacted]$250.00
2018-03-09 16:58:16 UTCExposed Django Administration Panel @ [redacted]$750.00
2018-03-02 12:53:11 UTCExposed Django Administration Panel @ [redacted]$750.00
2018-03-02 12:48:41 UTCTaking over [redacted] owned domain [redacted] due to unclaimed Amazon S3 bucket$500.00
2018-02-28 22:48:14 UTCMultiple SQL injection vulnerabilities on [redacted]$2,500.00
2018-02-20 02:34:49 UTCSecrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted]$500.00
2018-02-06 17:40:24 UTCP2P Referral Program Django Admin Panel @ [redacted]$250.00
2018-02-06 17:34:27 UTCSubdomain takeover of [redacted]$4,000.00
2018-01-31 23:17:37 UTCSubdomain takeover of [redacted] and [redacted] via Azure VMs$4,000.00
2018-01-31 14:59:44 UTCAWS credentials disclosure via SSRF in Atlassian Confluence [redacted]$2,500.00
2018-01-24 15:11:23 UTCPHP testing scripts and PHPMyAdmin exposed on the external internet on [redacted]:81$200.00
2018-01-05 07:00:59 UTCAWS key disclosure via SSRF on [redacted] leads to privileged AWS access$10,000.00
2018-01-04 13:05:48 UTCDomain/subdomain takeover of [redacted] via Azure$400.00
2018-01-04 13:04:15 UTC[redacted] pointing to an IP address no longer owned by [redacted]$200.00
2017-12-27 16:15:40 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$20,000.00
2017-12-11 17:46:11 UTCHTML Injection via Emails in company names on [redacted]$500.00
2017-12-11 17:41:39 UTCPersistent XSS on [redacted] via subdomain takeover$500.00
2017-11-28 15:57:33 UTCAbility to write to [redacted] due to misconfigured S3 ACLs$400.00
2017-11-24 11:32:26 UTCELMAH exposed on [redacted] exposing usernames, session details, sensitive information$800.00
2017-11-21 00:48:14 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$2,500.00
2017-11-14 18:30:11 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$500.00
2017-11-13 23:43:58 UTCPersistent XSS on [redacted] via subdomain takeover$500.00
2017-10-23 11:10:21 UTCOpenVPN administration panel exposed for [redacted]$250.00
2017-10-02 23:33:44 UTCNo rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes$1,150.00
2017-08-29 16:33:52 UTC███████████$5,000.00
2017-08-29 16:33:19 UTC██████████████$5,000.00
2017-08-29 16:32:25 UTC████████$1,500.00
2017-08-29 16:32:04 UTC██████████$1,500.00
2017-08-29 16:31:24 UTC████████████$500.00
2017-08-29 16:31:04 UTC████████████$500.00
2017-08-29 16:30:45 UTC█████████$500.00
2017-08-29 16:30:25 UTC████████████$500.00
2017-08-29 16:30:05 UTC██████████$500.00
2017-08-29 16:29:44 UTC████████████$500.00
2017-08-29 16:29:22 UTC█████████████$500.00
2017-08-29 16:29:00 UTC█████████████$500.00
2017-08-29 16:28:34 UTC█████████████████$500.00
2017-08-29 16:28:04 UTC███████████$500.00
2017-08-29 16:27:16 UTC███████████$100.00
2017-08-29 16:26:58 UTC███████████$100.00
2017-08-02 22:55:34 UTCSource code disclosure (including current MySQL DB creds) for https://[redacted]$1,000.00
2017-08-02 22:55:18 UTCPotential second order RCE on https://[redacted]$9,000.00
2017-08-02 22:53:54 UTCSQL Injection in https://[redacted]/job.php$2,000.00
2017-08-02 22:53:40 UTCSQL Injection in https://[redacted]/detail.php$2,000.00
2017-08-02 22:53:16 UTCSQL Injection in https://[redacted]/controls/PE/loaddata.php$2,000.00
2017-07-28 12:58:25 UTCDeep dive into [redacted] crash dump reporting tool – Persistent XSS + Downloading all crash dumps – [redacted]$2,000.00
2017-07-20 01:19:28 UTCExposed [redacted] statistics/administration panel$500.00
2017-07-20 01:18:15 UTCAbility to enumerate and bruteforce user accounts on [redacted]$400.00
2017-07-18 00:28:37 UTCGit repository access on QA machines on [redacted] and [redacted] exposing source code and production secrets$10,000.00
2017-07-14 23:00:16 UTCStored cross-site scripting on exposed development server @ [redacted]$300.00
2017-06-09 10:13:30 UTCAbility to submit bugs on behalf of other users on the [redacted] environments for [redacted]$250.00
2017-06-05 09:42:55 UTCAdmin access to Grafana instance with Credential Disclosure$500.00
2017-06-02 09:32:33 UTCWordPress Database Credentials Leakage + Find and replace MySQL tool (searchreplacedb2.php) on [redacted] + MySQL root password$1,000.00
2017-05-12 11:20:10 UTCPrevent [redacted] users from using their own VK account on [redacted]$1,000.00
2017-05-12 11:19:28 UTCOpen admin panel / Multiple WordPress related issues on [redacted]$250.00
2017-05-12 11:18:36 UTCURL Redirection flaw affecting [redacted] official login flow [redacted]$600.00
2017-05-12 11:11:24 UTCTomcat Manager left enabled on [redacted] (authentication required – exposed admin interface)$250.00
2017-05-12 11:09:23 UTCAbility to upload arbitrary files to the [redacted] S3 bucket via signed Amazon requests [redacted]$1,500.00
2017-05-12 11:07:07 UTCOpen administrative interface at [redacted] for [redacted]$500.00
2017-05-04 00:25:09 UTCArbitrary file write and remote command exection on [redacted]$9,500.00
2017-05-04 00:24:11 UTCLocal file disclosure on [redacted]$2,000.00
2017-05-04 00:22:00 UTCMySQL Injection on [redacted] Drupal endpoint [redacted], potentially able to escalate$9,500.00
2017-04-21 04:00:55 UTCCritical 2nd instance of SQL injection (no authentication required) on [redacted]$1,000.00
2017-04-21 04:00:00 UTCPersistent XSS + CSRF via [redacted]$250.00
2017-04-21 03:59:44 UTCMultiple reflected XSS on [redacted]$200.00
2017-04-21 03:57:58 UTCReflected XSS via video-js.swf on [redacted]$500.00
2017-04-21 03:57:44 UTCReflected XSS via copy_csv_xls_pdf.swf on [redacted]$500.00
2017-04-21 03:57:26 UTCReflected XSS via flowplayer-3.2.16.swf on [redacted]$500.00
2017-04-21 03:47:11 UTCSource code disclosure through Git repo exposed on [redacted]/subs/.git/config$1,000.00
2017-04-18 12:51:50 UTCDjango debugging mode enabled on [redacted]$250.00
2017-04-18 12:47:29 UTCFully controllable SSRF on [redacted] allowing for GET/POST to internal resources$17,500.00
2017-04-17 23:09:26 UTCBuilding control system (Niagara) and 4g CradlePoint router externally exposed for [redacted] Pittsburgh office$500.00
2017-04-14 15:07:24 UTCNo rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes$500.00
2017-04-14 03:13:46 UTCRCE on [redacted] after bruteforcing valid credentials$9,600.00
2017-04-14 03:11:38 UTCLocal file disclosure and SSRF in [redacted]$3,100.00
2017-04-14 03:08:36 UTCSQL injection on [redacted]$1,100.00
2017-04-11 17:36:38 UTCupdateUserInfo RPC endpoint IDOR on [redacted] (view/update any users details via UUID)$3,000.00
2017-03-30 00:53:31 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$150.00
2017-03-21 19:31:45 UTCPHPInfo debug scripts exposed on [redacted] and [redacted]$150.00
2017-03-03 11:03:03 UTCXSS on [redacted] through uploading SWFs as JPG$1,800.00
2017-03-03 11:01:13 UTCXSS on [redacted] due to WordPress vulnerability$2,000.00
2017-03-01 20:58:14 UTCAbility to bruteforce users on [redacted] confluence via bypassing route redirections$3,000.00
2017-02-24 10:43:41 UTCAccount bruteforce bug for [redacted] users$500.00
2017-02-24 10:43:09 UTC[redacted] vulnerable to IIS short name disclosure$250.00
2017-02-17 11:48:41 UTC[redacted] vulnerable to IIS short name disclosure$250.00
2017-02-17 11:46:10 UTCWordPress admin bruteforce and interface through XMLRPC.php on [redacted]$1,000.00
2017-01-24 00:05:33 UTCSubdomain takeover of [redacted] through$110.00
2017-01-20 10:26:53 UTCReflected XSS via flashmediaelement.swf on [redacted]$2,000.00
2017-01-19 23:07:35 UTCAbility to bruteforce [redacted] accounts using associated mobile number via [redacted]$3,300.00
2017-01-17 23:24:01 UTCAbility to bruteforce [redacted] active directory through [redacted]$300.00
2017-01-11 01:37:53 UTCAbility to bruteforce [redacted] active directory through [redacted]$3,000.00
2016-12-23 21:02:39 UTCExposed git repository on [redacted] reveals all application source code, including 1k user plain text passwords + db info$4,000.00
2016-12-20 06:56:47 UTCPublicly accessible sign up for Rocket Chat leading to potential breach of internal employees$50.00
2016-12-16 10:46:58 UTCExpired domain referenced in iframe elements on [redacted]$1,000.00
2016-12-09 11:22:13 UTCInformation disclosure – subdomain leaks internal host via DNS$250.00
2016-12-09 11:21:36 UTCAccount bruteforce bug on [redacted]$750.00
2016-12-09 11:20:18 UTCCritical – Perform administrative actions via an IDOR on [redacted] – Manipulation of the leaderboard and more$500.00
2016-12-09 11:16:50 UTC[redacted] Administration Panel [redacted]$750.00
2016-12-09 11:15:00 UTCSubdomains [redacted] pointing to EC2 instance owned by LucidPress (*$750.00
2016-12-09 11:13:10 UTCPage takeover of [redacted]/ru/page/cosplay_contest due to expired Wufoo form$750.00
2016-12-09 10:57:37 UTCPublicly accessible *admin* access to AWS auditing tool used by [redacted]$15,000.00
2016-11-29 10:49:02 UTCAbility to map arbitrary IDs with [redacted] players via [redacted]$750.00
2016-11-29 10:48:37 UTCInfo Disc. of Internal Docker Instance$250.00
2016-11-28 14:10:40 UTCInformation disclosure (internal IP addresses of all workers, memory usage, status) for [redacted]$250.00
2016-11-18 11:52:25 UTCSQL Injection on [redacted] leading to full administrative access$5,000.00
2016-11-18 11:49:29 UTCPersistent cross-site scripting/partial arbitrary file upload on [redacted]$3,000.00
2016-11-18 11:47:47 UTCPartial Git repo information found on [redacted]$250.00
2016-11-07 18:18:41 UTCPotential dangling subdomain record [redacted] for thismoment’s SaaS tool$2,000.00
2016-11-04 17:04:57 UTCWeird Reflected XSS on [redacted]$750.00
2016-11-04 16:50:25 UTCReflected cross-site scripting on [redacted]$1,200.00
2016-11-03 11:58:18 UTCSubdomain takeover of [redacted] via dangling CloudFront CNAME$250.00
2016-10-31 15:46:05 UTCPublic read/write to Amazon S3 bucket [redacted] allowing for ability to replace Android [redacted] APKs and subdomain takeover$200.00
2016-10-24 19:35:37 UTCX-Forwarded-For bypasses to access debugging pages across multiple [redacted] hosts$1,000.00
2016-10-13 17:25:36 UTCSubdomain takeover of [redacted] leading to Starbucks account takeovers via cookie stealing$1,000.00
2016-10-13 17:24:47 UTCSubdomain takeover of [redacted] due to expired Auzre traffic manager endpoint$1,000.00
2016-10-13 17:22:22 UTCDangling DNS CNAME record for the domain [redacted] pointing to [redacted]$2,000.00
2016-10-13 17:03:25 UTCSymfony app_dev.php found on [redacted] – Profiler is enabled and accessible by anyone$1,000.00
2016-10-10 23:49:06 UTCExposed administration interfaces for [redacted] infrastructure/third party applications$100.00
2016-09-19 19:35:18 UTCSensitive information leaked via X-Forwarded-For header spoofing on [redacted]$500.00
2016-09-13 20:44:44 UTCSubdomain takeover of [redacted] via Amazon S3 buckets$100.00
2016-09-07 18:03:11 UTCSubdomain takeover of [redacted] due to expired Auzre traffic manager endpoint$1,000.00
2016-09-04 00:38:19 UTCInsecure S3 bucket [redacted] leading to the takeover of critical assets [redacted]$1,000.00
2016-09-01 21:21:44 UTCSubdomain hijack of [redacted] through Unbounce Pages$100.00
2016-08-31 20:32:42 UTCSubdomain takeover of [redacted] leading to [redacted] account takeovers via cookie stealing$1,000.00
2016-08-31 12:56:29 UTC[Critical] Blind XSS in the [redacted] administration panel leading to full access of administration panel$250.00
2016-08-31 01:33:12 UTCMultiple critical risk vulnerabilities affecting Accellion Kiteworks on [redacted]$3,000.00
2016-08-30 18:00:10 UTCReflected Cross-site Scripting on [redacted] due to unpatched Confluence$50.00
2016-08-29 16:15:09 UTCSubdomain takeover possible on [redacted] through Uservoice Feedback SaaS$25.00
2016-08-23 17:06:26 UTCSubdomain takeover of [redacted] through Heroku$50.00
2016-08-23 15:43:27 UTCPersistent cross-site scripting on event pages created on [redacted]$75.00
2016-08-17 19:20:34 UTCSubdomain takeover of [redacted]$200.00
2016-07-30 13:56:21 UTCSubdomain hijack of [redacted] due to expired S3 bucket [redacted]$25.00
2016-07-26 20:35:16 UTCMultiple source code repositories, private internal documents and config from [redacted]$350.00
2016-07-25 21:01:07 UTCServer-side request forgery allowing for the ability to contact internal [redacted] AWS hosts such as ElasticSearch and Staging instances$3,000.00
2016-07-14 01:27:21 UTCSubdomain Takeover [redacted] via Heroku$100.00
2016-07-14 00:40:57 UTCSubdomain no longer controlled by [redacted]$100.00
2016-07-14 00:29:42 UTCSubdomain no longer controlled by [redacted]$100.00
2016-07-11 14:18:03 UTCSubdomain hijack of [redacted] (WP-Engine)$1,000.00
2016-07-04 02:15:08 UTCSubdomain hijack of [redacted] via Vagrant Share$100.00
2016-07-04 02:13:59 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$100.00
2016-07-01 09:29:53 UTCOpen administration panel with no authentication (full access) – [redacted]$500.00
2016-06-24 19:06:43 UTCSubdomain hijack of [redacted] (WPEngine #2)$1,000.00
2016-06-17 10:15:30 UTCOpen Remote bruteforcable MySQL login on [redacted]$750.00
2016-06-13 15:22:23 UTCPassword based bruteforcable SSH server on [redacted]$250.00
2016-06-03 10:22:34 UTCAdministration Panel Access (no auth required) to the [redacted]$3,000.00
2016-06-03 10:21:53 UTCMultiple issues on [redacted] with the Django Rest API [Info disc, Priv Esc, IDOR]$500.00
2016-05-20 12:43:21 UTCMinor information disclosure on [redacted] (project details and gitignore)$250.00
2016-05-20 12:41:34 UTCPartial page takeover again on [redacted]$1,000.00
2016-05-18 18:18:11 UTCLeaked FTP credentials for [redacted] => persistent XSS, uploading of files, SOP bypass$800.00
2016-05-13 10:10:21 UTCNine open administrator panels exposed on [redacted]$1,500.00
2016-05-13 10:09:19 UTCSubdomain takeover of [redacted] leading to the takeover of multiple pages on [redacted]$2,500.00
2016-05-13 10:08:42 UTCCSRF & Arbitrary file upload vulnerability to a [redacted] owned s3 bucket$500.00
2016-05-06 10:00:26 UTCOpen Joomla administration panel for the [redacted] application on [redacted]$500.00
2016-05-06 09:58:21 UTCThree instances of reflected XSS on https://[redacted]$2,000.00
2016-04-26 09:47:31 UTCReflected XSS on [redacted] via ZeroClipboard$1,750.00

I can tell you that the exact amount made, after calculating all of the payouts in the table above, is $635,387.47 made in 1590 days (4 years, 4 months). This is not the total amount I have made all-time in bounties. This figure is only inclusive of the HackerOne platform, no other platforms that I have submitted bugs to have been counted in this blog post. I report the vast majority of my bugs to programs on HackerOne.

I know hackers in the bug bounty community that are capable of making hundreds of thousands within weeks or months. Sadly, that’s not me, but I do find them inspiring. As I said earlier in this blog post, I came to terms with the fact that there are better hackers out there, and these days, I am proud to sit at rank 43rd on HackerOne at the time of writing this.

If you divide the amount of money by the number of days, you will quickly work out that it averages out to roughly $400 USD a day. I could have been earning this amount or more by working as a consultant with a high day rate, but the difference is, I made all of the ~635k on my own terms.

I worked when and where I wanted to and didn’t touch a bounty program for weeks if I wasn’t feeling up to it.

There were at least 62 bugs in the table above that were the direct result of automation. This accounts for 18% of the total number of bugs I reported in the last 4 years. This is a pretty interesting takeaway, and proves to me that automation is one of the facets that leads to success in finding security issues.

These companies paid me quite a lot of money in order to lock down their attack surfaces. While earning this money and learning new techniques along the way, we built as much of the workflows, techniques, tooling and methodologies into Assetnote. We found that by translating bug bounty success, into a more digestible enterprise product, we were able to successfully establish ourselves as a key player in the attack surface management space.

Today, we have a strong customer base that uses our product to not only find exposures as they happen immediately, but also more creatively to reduce their bug bounty spend, not paying for issues that are found through automation. Assetnote’s platform has been thoroughly tested against attack surfaces in the last four years of my bug bounty hunting, and is capable of continuously finding security vulnerabilities.

A majority of the bugs were only possible due to automated asset discovery, but still required some manual inspection and exploitation. Large scale asset identification is still a key pillar of my success.

In terms of criticality, there were 24 SQLi’s, 22 SSRFs, 20 IDORs, and at least 11 RCEs.

I focused my time mainly on Uber as I simply enjoyed it more and valued the team working there – first with Matthew Bryant, Collin Greene and then with Joel Margolis after Matt and Collin had left.

For the four years of hacking on Uber, I was able to come up with a methodology when approaching their assets by having a deep understanding of their architecture, and development practices. This was absolutely key to my success, and I’m sure other successful bug bounty hunters have a specific way they approach a program. Every company is different when it comes to hacking them.

Throughout these four years, I collaborated with and learnt a lot from (in no particular order):

  • Andre – we owned [redacted] together through ObjectStateFormatter deserialization

I came across a host and using all of my techniques when it comes to attacking .NET applications, I was able to find a few serious issues, but not command execution. At the time, research was released around how it is possible to achieve RCE through the VIEWSTATE parameter, via insecure deserialization, if you have the machineKey.

I enlisted Andre to help, and he was able to not only successfully leak the machineKey, but also was one of the first people to create a tool to exploit this vulnerability.

Andre’s heavy experience in CTFs were key to our success in this collaboration.

  • Joel – we owned Facebook together through an XXE in a vendor product

I asked Joel for help when I was reversing a vendor product that Facebook had put up on their attack surface, under one of their corporate domains.

I was able to get the source code of this product by spinning up an AMI from Amazon’s Marketplace and then getting a shell on the deployed instance. However, when trying to debug a tricky potential XXE through XSD’s I wasn’t able to go further by just reading the source code.

I didn’t know why my exploits weren’t working.

Joel’s experience when it came to Java was key to our success here. He decompiled the jar files, he created an intelliJ project and fixed all of the errors. Then we started debugging it step by step.

It was an absolute pleasure watching Joel work this out and I look forward to collaborating with him in the future.

  • Naffy – for helping me understand the best attack against Yahoo’s attack surface is persistence

I’ve known Naffy for almost a decade now, and the biggest thing I have taken away from him is that any attack surface can be broken into given enough time and effort. In the early days of bug bounties, Naffy was dominating the leaderboard for Yahoo’s bounty program – due to this he has a lot of experience with large attack surfaces.

Yahoo, now owned by Verizon, have an incredible amount of infrastructure and assets deployed on the internet. However, the noise on the attack surface is ridiculous to deal with.

What Naffy showed me was that with enough persistence and time, things break, and we have to be watching closely to capitalise on that.

  • Sean – I’ve lost count of the number of things we have owned together

Every time I have been in a tricky situation where I struggle with exploiting an issue due to technical complexities or lack of knowledge, Sean has been the one to push through and help develop proof-of-concept exploits.

Sean has been able to translate high-risk security issues into automation very successfully and it has led to a lot of vulnerabilities that we have disclosed together.

  • Oscar – I did a lot of collaboration on bounties with Oscar while I was at Bishop Fox

I used to talk with Oscar, daily, when I was at Bishop Fox. Oscar played a huge role when it came showing me how to hyper-optimise the speed at which DNS bruteforcing is possible.

While I worked with him, I found him to be incredibly switched on and most of all, a kind person. He has contributed to many bounty successes while I was working at Bishop Fox.

  • Huey – we fine tuned my methodology on Uber together

JavaScript source maps are a brilliant way to better understand the internals of any client-side application. I look for source map files now every time I find JavaScript files, and that is thanks to Huey.

On Uber, we have used sourcemap files to better understand the GraphQL queries and API endpoints that are being used by Uber applications, to further exploit them. I have a better understanding of JavaScript thanks to Huey.

  • Anshuman – we audited source code together for a PayPal live hacking event

For a recent live hacking event, we took apart the CMS called PencilBlue as it was being used by a particular target. Together, we had a blast auditing the source code, beating each other to different flows in the application source code and bonding over the speed at which we approach attack surfaces.

  • Rhys – he helped me convert a stolen secret into an account takeover

At a live hacking event, I discovered credentials such as secret keys that were leaked through Google’s cached pages. A development asset which printed all of the environment variables and secrets in plain text was being proxied through ngrok, and Google had managed to not only index, but cache it, with all of the secrets in place.

After stealing these secrets from the cached copy, I asked Rhys to help me prove impact. He definitely delivered, by converting the tokens I stole, into an interactionless account takeover. Rhys is also very switched on. He won that live hacking event by miles.

We gained access to Mozilla’s internal AWS network by exploiting WebPageTest.

There are probably more people that I worked with over the years, but I cannot immediately recall. My point to you is that collaboration has been really important when it comes to growth and success in bug bounties.

Also please don’t just ask someone to hack something for you. In all of the cases above, the reason why collaboration was so successful was because the initial triage was done by either party. There was always the initial foothold or concept that was shared out of trust, which then led to actual collaboration on the issue. Don’t expect people are going to exploit things for you without presenting at least half the exploit chain or idea.

As I’ve talked about previously in this presentation, my methodology still revolves around the identification of assets belong to an organization on the internet.

The speed of asset identification and content discovery has increased tremendously. This is partially due to the fundamental shift in the security scene from writing tools in Python, to writing them in Golang or Rust, due to the speed benefits they entail.

We have also adopted this trend at Assetnote, and key components of our platform such as our in-house DNS resolver, has been re-written and optimized in Rust by Huey to take advantage of the speed it brings.

The one thing I have noticed when it comes to analysing an attack surface, is making sure that your tools output information in a way that highlight relationships. For example, the output of most fast DNS bruteforcing tools, simply sucks. Here’s how I prefer DNS data to be laid out – something that tracertea shared with me: -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

When you are looking at thousands of assets at once, you have no idea how much of a difference this optimisation can make. I can immediately recognise the relationships between the source and destination when it comes to analysing this DNS data.

It’s surprising that something so simple has had such a profound affect on me, but the same goes for color coding when displaying content discovery results. Most tools still lack in this area, and anyone who has had to spend the time combing through thousands of content discovery results will tell you that the task gets tiring quickly. Ultimately, I spend my time finding needles in haystacks, and colors make it so much easier.

When it comes to methodology, the program that has had the most profound affect on me is Uber, due to the ever changing attack surface.

In the four years, Uber has changed how they develop their software and deploy it. It has been extremely important to keep up with this and constantly reflect on the methodology being used to pierce through an attack surface. The continuous assessment of assets on the internet has been very effective against large attack surfaces in particular.

Attack surfaces are alive, evolving and complex at times.

When I first started hacking on Uber, I would see services such as Redis and HAProxy (admin panel) being exposed directly to the internet. I considered this to be an immature attack surface at the time as it was trivial to discover these security misconfigurations. But over the years, wow have they evolved.

These days, you simply will not find exposed services like Redis on Uber’s core attack surface, and this is a direct reflection of their processes and practices maturing internally when it comes to application security, and in a wider picture, their entire attack surface.

Instead, all of Uber’s internal and sensitive assets are routed to OneLogin at the DNS level. There have been cases where sensitive assets have slipped through the cracks and did not have OneLogin protecting them, but again, this is why monitoring attack surfaces continuously is so important.

Who knows? Someone could accidentally disable OneLogin protecting their assets for a short period of time, or spin up a sensitive asset that does not enforce OneLogin. Maybe because they are trying to test some changes, maybe because they don’t realise what they are doing.

I can confirm that the continuous monitoring of assets for security exposures is a core part of my methodology, and it is also the reason for why we inherently baked it into Assetnote.

Not included in this blog post is all of the work I put into the United Airlines bug bounty, and due to the terms and conditions of their bounty program, I cannot go into much detail, but I can say that their attack surface has helped me hone my skills in .NET application security testing.

When I initially looked at an IIS server four years ago, I wouldn’t know where to start. These days, I have a methodology that has proven to be extremely successful when it comes to IIS servers in general.

Due to this and so much more that I do when I am approaching attack surfaces, I plan on releasing more videos on our YouTube channel over the next year. Please subscribe if you haven’t already 🙂

Assetnote’s Continuous Security Platform puts the power of automated reconnaissance and large scale asset identification in the hands of security teams around the world, so that they can replicate our methodologies and successes. Knowing what assets and exposures an attack surface has is key to locking it down, and we do our best to help security teams from all over the world with this.

If you work at a business that could use help with identifying and monitoring your assets, please reach out to us.

13 Expert-Recommended Tricks For Accelerating Your Online Growth

For online businesses, a high-performing website that encourages engagement and conversions is the key to successful growth. It often takes time to build up a steady stream of website visitors and consistent buyers. However, there are some things you can do to help accelerate the process. If you want to scale your site visits and…

For online businesses, a high-performing website that encourages engagement and conversions is the key to successful growth. It often takes time to build up a steady stream of website visitors and consistent buyers. However, there are some things you can do to help accelerate the process.

If you want to scale your site visits and engagement, try these 13 growth hacks recommended by the experts of Young Entrepreneur Council.

960x0 - 13 Expert-Recommended Tricks For Accelerating Your Online Growth
Young Entrepreneur Council members suggest using these tips to boost your online growth.

Photos courtesy of the individual members.

1. Focus On SEO

Search engine optimization is a great way to increase your online presence and drive people to your website organically. SEO is effective because you sprinkle in special keywords in the written content on your site. Those keywords will in turn drive people to your site because they use the same exact keywords when searching for something on Google. – Patrick Barnhill, Specialist ID, Inc.

2. Run A/B Tests

Lower your customer acquisition costs through multiple rounds of A/B testing. Once you’ve hit your targeted acquisition rate, deploy large amounts of marketing capital through that funnel. This has proven to be effective because, as you begin to understand your target audience, it becomes easier to predict their behaviors and tendencies. – Jordan Edelson, Appetizer Mobile LLC

3. Launch Retargeting Campaigns

Launching retargeting campaigns as part of your online growth strategy is one of the most effective approaches. In fact, it often achieves greater results and exceeds conversion rates of regular advertisements. Retargeting allows you to focus on shoppers with high intent to purchase, in addition to decreasing acquisition cost. – Blair Thomas, eMerchantBroker

4. Develop Comprehensive Customer Personas

I think the key to website success is developing comprehensive customer personas. You’re going to have a hard time growing your business if you’re not sure who to target. Review your website analytics and feedback forms so you can learn more about the people that frequent your website. Use this information to create compelling content and offers that are geared towards those users. – John Turner, SeedProd LLC

5. Experiment Often

In growth hacking or growth marketing, rapid growth can be achieved by carrying out experiments. You can do split tests to see what keywords, prices and offerings create the best results for your audience. When you find something that works, leverage the experiment by scaling it up and applying it to your marketing activities. In this way, an experimental mindset helps you grow your business fast. – Syed Balkhi, WPBeginner

6. Expand Your Pinterest Presence

Whether you own an e-commerce website, run a blog or lead a service-based business, develop an audience on Pinterest to send back to your website. Create content and visuals that represent your brand to attract website traffic, and use links back to blog posts with content upgrades. This will be one of the most effective ways to build an engaged audience. – Kristin Kimberly Marquet, Marquet Media, LLC

7. Tap Into Your Network

To accelerate your online growth, don’t underestimate what your networking connections can do for you. Knowing the right people can make all the differences in the direction your company goes in. A few positive endorsements from well-known entrepreneurs and leaders can put your foot in the door for more great opportunities. – Jared Atchison, WPForms

8. Be Customer-Centric

To accelerate your business growth, you need to create customer-centric strategies that focus on your buyers and their needs. If a company develops a plan based on the results instead of the data and people they serve, then it’s clear why they aren’t reaching the level of success they want. When your customers know that you want to provide for them, they’re sure to come back.  – Stephanie Wells, Formidable Forms

9. Build A Brand Community

Do whatever it takes to create a community around your website, brand or products. You can do that through social media, user-generated content, guest posts, email newsletters and more. By inviting people into your world, you’re helping them get invested in your business, making it easier for them to become loyal fans and customers. – Thomas Griffin, OptinMonster

10. Provide Value And Education Through Content

Creating great content isn’t a “quick fix” hack, but it is the best strategy for the long-term. By creating high-quality content that actually educates and engages your audience, you are giving them a reason to return to your site and making your company stay top-of-mind for them.  – Kelsey Raymond, Influence & Co.

11. Devote Resources To Content Promotion

Don’t just create good content—promote it. I see many organizations making this mistake. They invest time and money in creating great content and posting it online, but nothing happens. So they get frustrated, thinking that content marketing doesn’t help them grow. Promoting your content doesn’t make you intrusive. It only puts you in front of the right people—those who are interested anyway. – Solomon Thimothy, OneIMS

12. Build An Email List Before Your Site Launches

Many people often wait until the day of their website launch to start building an email list. A powerful way to build an audience and grow your business even before it’s launched is to create a “coming soon” page. Here, you can create a registration form and add a countdown timer. A “coming soon” page will help you build an email list and nurture your audience even before your business opens. – Blair Williams, MemberPress

13. Review Your Analytics

The key to boosting your growth is to look over your analytics. Data from your website, social media and email campaigns can help you make smart marketing decisions. For instance, if you notice that a majority of people across all platforms are clamoring for a specific feature, you can quickly add it. Using your data in this way can boost customer satisfaction, retention, sales and traffic. – John Brackett, Smash Balloon LLC

COVID Pandemic Taught Small Business These Important Cyber Security Lessons (INFOGRAPHIC)

With working from home the new norm, hackers are exploiting weaknesses in new working practices. The sharp increase in hacking and phishing activity has shone the light on the importance of cyber security.Exploring the risks surfacing in the post-COVID economy, Data Connectors have compiled an infographic. Data Connectors are providers of the largest cyber security…

With working from home the new norm, hackers are exploiting weaknesses in new working practices. The sharp increase in hacking and phishing activity has shone the light on the importance of cyber security.

Exploring the risks surfacing in the post-COVID economy, Data Connectors have compiled an infographic. Data Connectors are providers of the largest cyber security community in the US. The ‘Cybersecurity for the Post-Covid Economy’ infographic looks at the cyber security risks the pandemic has exposed. It looks at how businesses can make cyber security improvements to protect their tech and data.

COVID Cyber Security Lessons for Small Business

The Covid-19 pandemic has changed working practices, perhaps indefinitely. Remote work is now a common part of the workplace. Research shows 1 in 3 employees believe cyber security of their company is a moderate or major issue.

With hacking and other cyber crime on the rise, it is vital small businesses take cyber security seriously. Protecting systems, networks and devices are important in the race against cyber crime on businesses.

As Itai Sel, CEO of Naval Dome, comments for Data Connectors’ infographic:

“Companies are stretched thin and this is benefitting the hacker. It is not sufficient to protect only networks from the attack. Each individual system must be protected. If networks are penetrated, then all connected systems will be infected.”

The Threat of Coronavirus-Related Cyber Attacks

In March and April 2020, more than 192,000 COVID-related cyber attacks were reported each week. This is a 30% increase in the number of reported cyber-attacks compared to pre-coronavirus.

Why Business are at a Greater Risk

The infographic asks why businesses are at a greater risk of falling victim to cyber crime. It cites the large-scale growth of working from home, customer-facing networks, and online cloud services as being exploited by cyber criminals.

What COVID Teaches Us About Cyber Crime and Security

According to Data Connectors’ research, cyberattacks can spread at nine times the rate of Covid-19. They can also lie dormant for months while they spread.

The economic impact of a digital shutdown could be immense, the infographic warns. For example, a digital virus with the same virulence as Covid-19 could brick or wipe 20 million infected devices.

The Challenges of Recovering from Digital Destruction

The infographic warns that tech companies could struggle to meet the surge in demand of a digital shutdown. Failing to keep up with demand could grind the economy to a halt.

Threat of Cyber Pandemics

The research points to the threat of ‘cyberpandemics’ and that future pandemics could be cyber-related. Such pandemics could spread faster and further than a biological virus, with an equal or even greater economic impact. A global loss of internet would cost $50 billion per day, says the infographic.

Improvements Small Businesses Can Make to Protect Themselves

Since February 2020, there has been a 600% increase in phishing. 67% of businesses have experienced an IoT security incident. 55% of organizations plan to increase IT/OT alignment.

As businesses continue to work from home, security polices and procedures must be implemented to reflect the shift. Such policies and procedures should include disaster recovery plans. Having a business disaster plan in place, is one of the best ways to prepare for disasters of all kinds.

The infographic advises businesses to adjust insurance coverage to incorporate cyber risk. New policies should also be put int place for mobile security and bring-your-own- devices.

Businesses should also consider increasing bandwidth to move teleconferencing between sites. Secure VPN access should be established for employee workstations. Data should be monitors by adding a cloud access security broker. Network-level authentication should be made part of remote desk protocols.

Company-issued devices need to be managed centrally with remote monitoring, opposed to assigning administrative privileges to end-users.

In the ‘new’ business climate, businesses need to be more vigilant than ever about the risks of cyber crime.

svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAwIiBoZWlnaHQ9IjQ3NTciPjwvc3ZnPg== - COVID Pandemic Taught Small Business These Important Cyber Security Lessons (INFOGRAPHIC)

The Infosec Apocalypse

The rise of tooling for vulnerability detection combined with pressure driven by Vendor Due Diligence is causing a massive enterprise freezeout for non-mainstream technologies across the board. Of particular concern is the impact this will have on the adoption of functional programming in enterprise and small business B2B development. I see now that the last…

The rise of tooling for vulnerability detection combined with pressure driven by Vendor Due Diligence is causing a massive enterprise freezeout for non-mainstream technologies across the board. Of particular concern is the impact this will have on the adoption of functional programming in enterprise and small business B2B development.

I see now that the last 10 years were “easy mode” for the growth of new programming tools and infrastructure, with many new breakthrough technologies seeing rapid adoption. Languages like Node, Go and to some degree Scala saw breakaway success, not to mention all of the new cloud tech, NoSQL tech, containerization and data processing platforms along with their custom query DSLs. Other languages like Haskell saw success in small companies and skunkworks style teams solving very difficult problems.

The Rise of Vulnerability Scanning

Just this past year I’ve come to see we’re in the middle of a massive change across the industry. There are new forces at play which will calcify current software stacks and make it extremely hard for existing or new entrants to see similar success without a massive coordinated push backed by big enterprise companies. This force is the rise of InfoSec and vulnerability detection tooling.

Tools like Blackduck, WhiteSource, Checkmarx, Veracode are exploding in popularity, there are too many to list and many variations on the same theme. In the wake of so many data leaks and hacking events enterprises no longer trust their developers and SREs to take care of security, and so protocols are being implemented top down. This isn’t just on the code scanning side, there is a similar set of things going on with network scanning as well which impacts programming languages less, but similarly will calcify server stacks.

These tools are quickly making their way into SOC2 and SDLC policies across industry, and if your language or new infrastructure tool isn’t supported by them there’s little chance you will get the previously already tenuous approval to use them. This sets the already high bar for adoption much higher. As you might expect, vendors will only implement support for languages that meet some threshold for profitability of their tools. Not only do you need to build a modern set of tools for your language to compete, now you also need support from external vendors.

Vendor Due Diligence

Maybe we just cede this territory to enterprise tools with big backers like Microsoft and Oracle, we never more than a few small inroads anyway. The use of these tools is arguably a good thing overall for software security. Unfortunately, the problem cannot be sidestepped so easily, and I’m afraid this is where things look very bleak. The biggest new trend is in enforcement of these tools through Vendor Due Diligence.

You may not be familiar with Vendor Due Diligence if you aren’t in a manager role. The basic idea is your customer will send you a long list of technical questions about your product which you must fill out to their satisfaction before they buy your product or service. In the B2B space where I work these lists are nothing new, but have been getting longer and longer over the last 10 years, now often numbering in the hundreds of questions.

Most recently I’ve seen more and more invasive questions being asked, some even going into how teams are organized, but important to this article is that across the board they now all ask about vulnerability scanning and now often request specific outputs for well-known vulnerability scanning tools. The implication being that if you’re not scanning with these tools they won’t buy your software, and the list of supported languages is small.

Any experienced technology manager sees the natural tradeoff here. When it comes down to making money versus using cool tech, cool tech will lose every time. You’re just burning money if you’re building cool things with cool tech if you know no one will buy it.

So What Now?

Potentially we will see a resurgence of “compile-to” functional programming with mainstream language targets to sidestep the issue. I suppose though that the extra build complexity and problems debugging will prevent this from ever being mainstream, not to mention that the vulnerability tools look for specific patterns and likely won’t behave well on generated code.

There is some hope in the form of projects like SonarCube which enables users to come together and build custom plugins. Will functional programming communities come together to build and maintain such boring tech? I somewhat doubt it. This kind of work is not what most programmers would choose to do in their off time. Similarly, vulnerability detection is unlikely to be a good target to be advanced a little at a time with academic papers. It would take true functional programming fanatics to build companies or tools dedicated to the cause. If you are interested in helping out, pay attention to the OWASP Top 10 as this list drives focus for many infosec teams.

Where does this leave us? If our communities do nothing then smaller B2B software operations focused mom and pop shops or consumer focused web applications likely won’t see any impact unless static analysis makes it into data protection law. Beyond these use cases FP will be relegated to tiny boxes on the back end where vulnerabilities are much less of a concern and the mathematical skills of functional programmers can bring extreme amounts of value.

I know there are many deeper facets I didn’t cover here, if you want to continue the discussion join the thread on twitter.

Millions of Users Love Zoom: Here’s Why That’s Bad News

Social distancing has pulled in thousands of new users, but security flaws have been a real issue. With work-from-home and social distancing policies increasing reliance on video conferencing applications, Zoom Video Communications (NASDAQ:ZM) has posted record-breaking growth. Investors swooped in and pushed the company’s share price 40% higher in a single day of trading, although…

Social distancing has pulled in thousands of new users, but security flaws have been a real issue.

large - Millions of Users Love Zoom: Here's Why That's Bad News

With work-from-home and social distancing policies increasing reliance on video conferencing applications, Zoom Video Communications (NASDAQ:ZM) has posted record-breaking growth. Investors swooped in and pushed the company’s share price 40% higher in a single day of trading, although the entire market did pull back substantially shortly after. But somehow, somewhere, didn’t everyone forget the hacking scandals from earlier this year?

? 1216652501 - Millions of Users Love Zoom: Here's Why That's Bad News

Image source: Getty Images.

User count jumps sky-high

At face value, Zoom posts drool-worthy numbers. The company reported in August 2020 that total revenue had grown 355% year over year to $664 million in the second quarter. These results exceeded the guidance of $495 million to $500 million, as demand remained at heightened levels and more free users were converted to paying customers. Most impressively, current customers with more than 10 employees increased by 105,000 to approximately 370,000. So Zoom is clearly growing at an eye-popping rate.

The company claims to have more than 300 million daily active participants, although total unique user counts have not been disclosed to date. Zoom’s popularity may stem from its extremely user-friendly features — simultaneous screen sharing, group messaging, mobile collaboration, mobile app screen sharing, and the ability to host multiple users in a video call. So people are flocking to it in droves. But therein lies the problem. 

Hacking and stolen data

Zoom’s wild popularity led to very inventive hacking, which splashed across the news earlier this year. Interruptions were varied, ranging from “zoombombing,” in which a user or hacker broadcasts inappropriate video across a Zoom call room, to dangerous thefts of private data from user devices.

Large companies and organizations went so far as to ban Zoom from use, turning to competing applications like Microsoft Teams and Google Meet. Google banned company employees from using Zoom on employee laptops, while SpaceX and even NASA prohibited use, all citing security concerns.

The actions made sense at the time, since Zoom actually had such weak security measures back in March and April that they were essentially nonexistent. Of course, after the negative backlash, the company quickly acquired security company Keybase and worked to deploy encryption measures that could better protect its growing user base. 

Better but still not perfect

The problem with Zoom’s security measures lay in the ease with which hackers were able to enter a user’s device. Nowadays, stolen digital data is a huge issue. Our lives are literally there for the plucking. And with millions of people vulnerable through Zoom, that could create a major headache.

? 1174418589 - Millions of Users Love Zoom: Here's Why That's Bad News

Image source: Getty Images.

Zoom now offers 265 GCM transport encryption to all users, which means that the connection between the Zoom app and Zoom’s server is encrypted the same way the connection between your web browser and, say, this article is encrypted. In other words, when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it will not stay private from the company.

The company stated that it is working toward an end-to-end encryption add-on feature, but for a Zoom meeting to be end-to-end encrypted, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it. That is, Zoom itself would not have the technical ability to listen in on Zoom meetings — which is very important, if the users happen to be large organizations exchanging sensitive information.

Fortunately, Zoom has finally realized the importance of protecting user data. This growing tech stock has access to millions of people, and that number will continue climbing as Zoom’s paying customer base rapidly expands. Imagine, millions of potential hacking targets.

However, Zoom has adroitly turned its hacking scandals into a source of future business inspiration, opening up a world of new clients if it does eventually offer true end-to-end encryption. And with this improved approach to security, Zoom may eventually shine as a new leader in the video conferencing industry.