u/Federal-Dot-8411

Hey,

I'm a security researcher and web developer (React side of things). Writing this because after the latest Next.js security advisory I've seen a ton of hate piled on the framework. People saying it's more vulnerable than the alternatives, that they're sick of it, the whole thing.

Before you jump on that train, you need to understand how bug bounty actually works.

There are highly skilled security researchers out there, and now with AI in the mix we're even more effective. What drives most of us (not saying I am one of the high skilled) is pretty simple:

• Money from bug bounties
• Recognition

So why do vulnerabilities keep popping up in Next.js and not in alternatives like TanStack Start? Simple. A few months ago Vercel launched a bug bounty program for their open source projects, and they pay solid money for vulns in stuff like Next.js.

Also, Next.js is the king of web frameworks. How many people outside the dev bubble have even heard of TanStack? Or Vinext?

That's exactly why security researchers are gunning for CVEs in Next.js. It's the most used framework, and you actually get paid for it. So you get both money and recognition.

So most of security researchers will hunt on Next.js and not in it's alternatives.

The result is that vulnerabilities surface frequently, and that's not a bad thing. Those of us who do bug bounty for a living see new vulnerabilities pop up every single day in Fortune 500 companies. The difference is most of them never get publicly disclosed, they just get patched and life moves on. It's part of the normal software lifecycle.

Using a framework with no security advisories isn't necessarily a good thing. It might just mean there aren't enough skilled people auditing it.

No software is 100% secure, that's impossible. The vulns are there. If they're not surfacing it means no one good has found them yet, but a malicious actor very well might have, and could be actively exploiting them right now.

It is actually a good thing that new vulns get patched, software gets more secure and reliable the more vulns are fixed, and also the dev team will get more understanding of security principles while aplying patches.

Hello folks,
I am a security researcher that started doing ctf and found them very enjoyable, I don’t have an awesome level, I just clode all AI chats and try solving them the old school, reading source code and docs.
I read that if I join a team I will progress a lot and will improve my performance, the problem is that idk if I am too newbie for a team, I hope i got infosec friends but it’s not the case. So when can I say I am ready for a team ? Or how can I join a team ?

Happy hacking!

Hello folks,

I am a software developer and gaming enthusiast, I own a gaming pc with nvidia card, and I am so tired of how bad windows 11 works, crashes, reboots, lag... Also I am a developer and almost all emerging tools on dev ecosystem are for linx/mac, so I thought it would be a good switch to finally migrate to linux.

I am not a linux newbie but neither an expert, I would like a distro that doesn't require too much maintenance, and it doesn't break too often.

Which distro would be a nice approach both for dev and gaming ??