单独文章：

1.GraphQL的漏洞的挖掘

https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

2.Cli: gh run download implementation allows overwriting git repository configuration upon artifacts downloading

https://github.com/Metnew/write-ups/tree/main/rce-gh-cli-run-download

这篇文章比较有意思。

3.How to Analyze Malicious PDF Files

https://www.intezer.com/blog/incident-response/analyze-malicious-pdf-files/

4.You need to hear this if you are new/want to start bug hunting

https://mokhansec.medium.com/you-need-to-hear-this-if-you-are-new-want-to-start-bug-hunting-6b5b5c8ba8d0

gitlab的三个漏洞：

1. https://systemweakness.com/1-3-brute-force-protection-bypass-gitlab-15a17909bb
2. https://medium.com/@_ip_/2-3-xss-through-the-front-door-gitlab-fc4b6799e743
3. https://medium.com/@_ip_/3-3-cache-poisoning-lateral-movement-gitlab-9c6288708576

挖掘进度：

继续databricks。然后把hackerone的私人邀请全部退了，等待新的邀请。