security.txt (RFC 9116)
In 2017, I published an Internet Draft titled “A File Format to Aid in Security Vulnerability Disclosure (security.txt)” for a proposed Internet standard which allows websites to define security policies. The Internet Draft was subsequently adopted by the IETF and was published as RFC 9116 in April 2022.
Can I take over XYZ?
“Can I take over XYZ?” is a community-maintained GitHub repository for tracking services enabling subdomain takeovers by not requiring verification of domain ownership. This project aids both bug bounty hunters and bug bounty programme owners in determining whether a particular service is vulnerable to (sub)domain takeovers.
As Michael Skelton put it, the repository has mostly evolved into a discussion board where the issue tickets allow for more open discussion surrounding the nuances of performing (sub)domain takeovers against particular services.
Bug Bounty Guide
In 2018, I created Bug Bounty Guide, a launchpad for bug bounty programmes and bug bounty hunters. While some of my opinions and advice expressed in the chapters may have changed since its date of publication, I still actively encourage people to have a read through.
Publications
RFC 9116: A File Format to Aid in Security Vulnerability Disclosure (security.txt)
Edwin Foudil, Yakov Shafranovich
Internet Engineering Task Force (IETF), April 2022
A Guide To Subdomain Takeovers
EdOverflow
HackerOne, August 2018
On escalating your bug bounty findings
Edwin “EdOverflow” Foudil, T.-C. “Filedescriptor” Hong
Paged Out!, August 2019
