Featured Stories

CVE-2024-53991 - Discourse Backup Disclosure: Rails send_file Quirk

Introduction Modern web applications rely on middleware and web server configurations to efficiently handle file delivery while maintaining security. In the Ruby ecosystem, the send_file method in Rack and Rails is a widely used mechanism that can offload file serving to web servers like Nginx and Apache, improving performance and scalability. However, when used in conjunction with Nginx’s internal directive, a feature designed to restrict access to sensitive resources, unexpected security flaw

Amplify automates security testing with ProjectDiscovery’s precision

Amplify automated security testing with ProjectDiscovery, reducing workload, improving vulnerability management, and enabling scalable scans. By converting bug bounty reports into tests, they ensure patched issues don’t return, empowering QA teams to enhance security across applications.

Case Studies

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead.

Case Studies

Reinventing custom detections and vulnerability management

We’re making custom vulnerability detection easier with an AI-powered template editor, full-text search, and auto-regressions. These additions help security teams create, refine, and validate detections faster, staying ahead of threats with less manual work.

Announcements

CVE-2024-53991 - Discourse Backup Disclosure: Rails send_file Quirk

Vulnerability Research

DeepSeek’s Data Breach: Could ProjectDiscovery’s Cloud Have Prevented the Hack?

Last week, DeepSeek made headlines with R1, an open-source model positioned as a competitor to OpenAI’s Model o1. What set R1 apart wasn’t just its capabilities - it was the claim that DeepSeek trained it with significantly fewer GPUs. It challenged conventional wisdom around the compute requirements for large-scale model training and even caused a small stock market selloff. Amid the hype, a security incident surfaced: researchers gained access to DeepSeek’s internal databases. The breach repo

Vulnerability Research

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Introduction In light of the recent Ruby-SAML bypass discovered in GitLab, we set out to examine the SAML implementation within GitHub Enterprise. During our research, we identified a significant vulnerability that enabled bypassing GitHub’s SAML authentication when encrypted assertions were in use. This blog post will provide an in-depth look at GitHub Enterprise’s SAML implementation and analyze the specific code issue that permitted this bypass. Although we uncovered this vulnerability inde

Vulnerability Research Nuclei & Templates

Effortless Passive Detection Using Global Matchers in Nuclei

If you've ever found yourself repeatedly setting up the same matchers in multiple Nuclei templates, it's time to break free from that cycle. Meet global matchers, a killer feature in Nuclei that simplifies your detection workflow. Imagine having a single template that automatically hunts for specific patterns (like private keys, sensitive tokens, or webhooks) across every HTTP response from all your other templates. That's what global matchers do — and they do it effortlessly. In this post, we

Nuclei & Templates

Crafting DAST Nuclei Templates for OOB Template Engines Injection: A Practical Guide

We’re thrilled to announce the release of new DAST Out-of-Band Template Injection Templates tailored for various templating engines and programming frameworks. This update empowers us to assess vulnerabilities and misconfigurations in diverse tech stacks effectively. In this post, we’ll explore automating Out-of-Band Template Injection Testing, crafting custom vulnerability checks, and sharing the findings through the PDCP Cloud for streamlined collaboration. For those particularly interested i

Nuclei & Templates

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

We're excited to tell you about Nuclei Templates release v10.1.1 ! This new version includes newly added Alibaba Cloud Review templates. In this blog post, we'll discuss automating Alibaba cloud misconfiguration review, creating custom checks, and sharing results on the PDCP Cloud for review. An Alibaba Cloud Configuration Security Review is essential for assessing and improving the security of your cloud infrastructure. It ensures that your resources are configured correctly, compliant with re

Nuclei & Templates

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Vulnerability Management

Enhancing Asset Discovery: ProjectDiscovery Cloud Platform (v0.8.8)

We're excited to announce the release of version 0.8.8 of the ProjectDiscovery Cloud Platform. This update brings significant enhancements to our asset discovery capabilities, introduces new features for Basic Tier (Free) users, and resolves several critical issues. Our primary focus remains on improving the visibility and analysis of discovered assets and refining the insights available to our users. Empowering Basic Tier (Free) Users Our mission at ProjectDiscovery is to make advanced secur

Vulnerability Management

Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more

We're thrilled to announce the launch of Nuclei v3.2.0. This latest version introduces a host of new features, enhancements, and bug fixes, significantly elevating the Nuclei engine's performance and capabilities. Notably, the inclusion of authentication support and advanced fuzzing support positions this release as a pivotal milestone, further building upon the foundation laid by version 3.0.0. In this blog, and a number of upcoming feature spotlights, you'll learn a lot more about all that nu

Vulnerability Management

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Learning & Automation

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Learning & Automation

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Learning & Automation

February 2025 Newsletter

First, we’re so excited to announce that we’ve reached 100,000 GitHub stars across our OSS projects! This wouldn’t have been possible without everyone who’s contributed, used our tools, and offered their support along the way. Thank you, and we can’t wait to keep building with you! 🎉

Announcements

Reinventing custom detections and vulnerability management

Announcements

Engineering the future of vulnerability detection

We’re building the future of Nuclei-powered scanning - 35x faster, with automated scheduling, smart alerts, and streamlined triaging. With built-in internal scanning, it’s designed for modern security teams who need speed, scale, and precision.

Announcements

View all stories

Featured Stories

CVE-2024-53991 - Discourse Backup Disclosure: Rails send_file Quirk

Amplify automates security testing with ProjectDiscovery’s precision

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

Reinventing custom detections and vulnerability management

Vulnerability Research Stories

CVE-2024-53991 - Discourse Backup Disclosure: Rails send_file Quirk

DeepSeek’s Data Breach: Could ProjectDiscovery’s Cloud Have Prevented the Hack?

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Nuclei & Nuclei Template Stories

Effortless Passive Detection Using Global Matchers in Nuclei

Crafting DAST Nuclei Templates for OOB Template Engines Injection: A Practical Guide

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

Vulnerability Management Stories

Advancing Asset Management - PDCP v0.8.9

Enhancing Asset Discovery: ProjectDiscovery Cloud Platform (v0.8.8)

Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

February 2025 Newsletter

Reinventing custom detections and vulnerability management

Engineering the future of vulnerability detection

Monitor your infrastructure

Talk to sales

Platform

Open Source

Resources

Company