HSTS tracking beats even incognito mode in browsers, and it more and more often used by advertisers. In the most recent edition of OSX, Safari has two mitigations in place for this issue. Let's hope other browsers follow suit shortly.
https://thehackernews.com/2018/03/hsts-supercookie-tracking.html
Here's a really good writeup by as researcher that discovered an XML External Entity vulnerability in Windows Remote Assistance.
https://krbtgt.pw/windows-remote-assistance-xxe-vulnerability/
Dropbox and Netflix join the growing group of large technology organizations promising not to sue white hat security researchers.
https://www.theregister.co.uk/AMP/2018/03/22/netflix_bounty_dropbox_promise/
Here's another application vulnerability analysis procedure, well written and organized.
https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/