← Back to home

VulnBank Blog

Thoughts, news, and updates from our team of insecurists.

Introducing VulnBank 2.0: Now With More Vulnerabilities Than Ever

March 12, 2026 • By the VulnBank Team

We're excited to announce the release of VulnBank 2.0, featuring an expanded vulnerability portfolio that now includes SSRF, path traversal, and an improved IDOR experience. Our users asked for easier account takeover, and we delivered.

Continue reading →

A Word on Our Password Policy: Simplicity is Key

February 28, 2026 • By CTO, Security Oversight Division

Many have asked why we don't enforce password complexity requirements. The answer is simple: we trust our users. If you want your password to be "password123," who are we to judge? We store it in plaintext to honor that trust.

Continue reading →

How We Achieved 100% Uptime During Last Week's DDoS Attack

February 15, 2026 • By Infrastructure Team

When our servers were flooded with requests last week, we didn't go down—we just got slower. Much slower. Like, "one query per minute" slow. We're calling this a victory and considering removing rate limiting permanently since it worked so well.

Continue reading →

Customer Spotlight: The User Who Brute-Forced Their Own Account

January 30, 2026 • By Customer Support

We'd like to recognize one of our most dedicated users, who attempted 47,000 login attempts in 24 hours before successfully accessing their account. The password was "12345." We salute your persistence.

Continue reading →

Rethinking Authentication: Why JWTs in localStorage Are the Future

January 15, 2026 • By Lead Developer

Everyone says "use httpOnly cookies" for JWT tokens, but have you considered how much harder that makes XSS exploitation? We believe in equal opportunity for all vulnerabilities, regardless of whether they're reflected, stored, or DOM-based.

Continue reading →

Our Commitment to Accessibility: Anyone Can Access Anyone's Data

December 20, 2025 • By DEI Officer

At VulnBank, we believe data should be accessible to everyone. That's why we've implemented our IDOR (Insecure Direct Object Reference) feature with zero access controls. Simply change the ID in the URL, and voilà—you're browsing someone else's financial data.

Continue reading →

Behind the Scenes: How We Implemented File Upload Without Validation

December 5, 2025 • By Engineering Team

Users asked for the ability to upload profile pictures. We delivered. Sure, the upload accepts any file type, any size, and saves it to the filesystem without checking contents. And yes, the file path is vulnerable to directory traversal. We call it "flexible."

Continue reading →

The Admin Panel: It's Not a Bug, It's a Feature (That's Hidden)

November 18, 2025 • By Product Team

Many users have asked how to access admin features. The answer is simple: try harder. Our admin panel URL is /sup3r_s3cr3t_admin. Is it security through obscurity? We prefer to call it "security through mystery." The journey is the destination.

Continue reading →

API Security: We Made It So Easy, You Won't Believe It

November 1, 2025 • By API Team

We're proud to announce our new OpenAPI specification, now available at /static/openapi.json. It documents every endpoint, including the ones that shouldn't exist. No authentication required for most endpoints because we believe in open access to financial services.

Continue reading →

Categories

Security: How we're not doing it

Engineering: shortcuts we took

Product: features we probably shouldn't have shipped

Company: our journey to becoming a case study