it’s more like a tiny tip rather than an article/writeup/blog if you want to succeed stop speed running the learning phase, my own opinion is that you need deep understanding of web development before web security and this takes a lot of time to…
Got a vuln confirmed by MSRC, assessed as Moderate severity. Closed with no bounty because it's "below the bar for immediate servicing." But the published Copilot AI bounty criteria (microsoft.com/en-us/msrc/bounty-ai) list Critical, Important, and…
I’m 18 and getting into offensive security. Working through HTB Academy’s pentester path and doing bug bounties on HackerOne and Bugcrowd. Lately I’ve been wondering if the real version of this field ever matches what Mr.…
Hello, the purpose of private programs on HackerOne is to reduce competition, but I noticed that some of these programs still receive around 300 reports within 90 days. For example, there is not such a big difference compared to public programs.…
I wrote up an old OLX account takeover bug that started from a very small UI difference. After enough wrong OTP attempts, the page showed a “try again later” lockout message. That should have made every blocked submission look the same. But it didn’t.…
Hello. I'm totally out of my mind. Here is my case: I'm 20 years M , and I didn't go to a local college for some reason, and am not smart enough to crack exams to get into top tier colleges.…
Everyone has built autonomous systems with AI and automated their bug bounty processes, while I still do not use these agents fully autonomously and only use them like an assistant.…
I have question regarding H1 account. Is it issue happening only to me or anyone else also have faced it. No reports filed in May went to human triage. Some of them are now 26 days old.…
I'm curious to see how people take on different vulnerability severity classes. When you are testing - are you specifically looking for Medium+, or is it strictly finding a bug and then seeing how far you can push it.…
Is finding a webapps infrastructure IP hidden behind a WAF a huge deal or it's only worth it fi you're able to bypass the 403 page actually gaining access the system service? If it is then what's the average bounty for it.…
People pick up bug bounty with zero engineering background, zero security knowledge, run nuclei on a wildcard scope for a weekend, and then post here asking why nobody is paying them. Because you don't know anything yet. That's why.…
Hello hackers, I have been a bit out of hacking due to my finals, now I want to come back for summer. I have like 20 reports pending from months on HackerOne and I am a bit tired of bug bounty platforms, triage platforms don't invest in triage, and the…
Hey folx I’m currently doing “vibe hacking”. I’ve submitted around 50 reports so far, but like 90% got closed as duplicated (source codes and domains). Any advice on how to avoid duplicates and find unique vulnerabilities ?…
I'm stuck and hoping someone here has dealt with this or knows who to contact. My HackerOne account uses a passkey for MFA. The passkey was stored on my Windows machine and got corrupted, so I can no longer pass the MFA step and I'm completely locked out.…
Ive been practicing my bug bounty skills lately and came across this bug bounty vulnerability report page. It doesn't explicitly state any scopes or tools that are allowed or not allowed.…
Hey fellow hackers, I recently submitted a report that got triaged as a simple "Information Disclosure (Out of Scope)" and closed. I'd love to get your perspective on whether this classification is fair or if it's a bit of a lazy triage..…
Hi! I’m looking for some advice from people who have bug bounty experience. I found an application-specific parsing inconsistency in an image-fetch feature.…
Independent researcher. End of 2024, I found a vulnerability in Chain of Thought (CoT) models. To date, it has 100% success rate, culminating in one of two scenarios: model collapse and shutdown or model refusing safety guardrails. Claude. Gemini. Grok.…
Hi, i found a .map file javascript bundle that reveal all source code of the app, is that valid to report this finding ? submitted by /u/yaelahrep [link] [comments]
Hey everyone.. During a bug bounty assessment, I discovered internal npm package names leaked via client-side source maps.. Further recon revealed an interesting scenario under the same organization scope: Some packages are publicly registered on npm..…
