Bug bounty chat

11 Aug 2023 06:55

I found a Zendesk api key and applicationID can anyone sugguest me what should i do further escalation to a bounty

Bug bounty chat

11 Aug 2023 06:53

the public root keys and the encryption algo

Bug bounty chat

11 Aug 2023 06:27

i found the keys of a target i'm walking through with google dorking how can i escalate this a get a bounty.....

Bug bounty chat

11 Aug 2023 04:18

I use burp ofcourse but i also use Fiddler

Bug bounty chat

11 Aug 2023 04:17

It feels like it's out of date

Bug bounty chat

11 Aug 2023 04:16

Yep. Considering that’s what you’re doing first. Not sure if that was done. Just basing it off of the fact of running zap

Bug bounty chat

11 Aug 2023 04:15

See if you can pivot or use it to affect domains in scope

Bug bounty chat

11 Aug 2023 04:15

Ya if you done with your Manual testing you can run automated tool

Bug bounty chat

11 Aug 2023 04:12

Automated testing and tools are not preferable because they show false positive and are not capable of finding business logic bug or any critical bug in most of the case

Bug bounty chat

10 Aug 2023 20:10

And like other said. It will be unpaid. There’s a reason they probably don’t pay it. The reason, who knows. That’s their fault.

Bug bounty chat

10 Aug 2023 18:56

Anyone interested in OSCP , GPEN , OSWE , OSCE , Pentest+ , CEH certification ?

Bug bounty chat

10 Aug 2023 12:21

Nope. If in bb programm it is out-of-scope, high risk that your vuln will be unpaid

Bug bounty chat

10 Aug 2023 06:30

yes. otherwise its a valid bug

Bug bounty chat

10 Aug 2023 06:26

i reported it 5 times they did not response

Bug bounty chat

10 Aug 2023 06:23

quantity tampering easy to find

Bug bounty chat

11 Aug 2023 06:54

also the signature keys

Bug bounty chat

11 Aug 2023 06:50

lie password of admin panel or user ?

Bug bounty chat

11 Aug 2023 06:26

hey guys im a noob here

Bug bounty chat

11 Aug 2023 04:18

Can anyone explain me this bug Insecure OS/Firmware > Hardcoded Password > Non-Privileged User

Bug bounty chat

11 Aug 2023 04:17

But zap is a noisy tool

Bug bounty chat

11 Aug 2023 04:15

Especially IDOR and SDE

Bug bounty chat

11 Aug 2023 04:15

Nice idea bro i will test it

Bug bounty chat

11 Aug 2023 04:13

True that’s why I mentioned replicating the issue. Owasp is known to show % of false positive in its report, but obviously, always preferable to run a replication as part of your QA

Bug bounty chat

11 Aug 2023 04:09

You can report it if it's directly or indirectly linking to in scope domain or server

Bug bounty chat

10 Aug 2023 20:06

I say don’t do it. If it’s out of scope they are going to ask how you even found it and sometimes they get sensitive about it.

Bug bounty chat

10 Aug 2023 17:39

i think it depends on company, i would recommend to check if there was similar reports or if company actually paid for out of scope issues before.

Bug bounty chat

10 Aug 2023 12:01

Guys i found a severe vulnerable but it's out of scope should i report it the vuln is opening admin panel and full control of the subdomain and server's files

Bug bounty chat

10 Aug 2023 06:27

well that’s sad but still gives no right to actually exploit it 😔

Bug bounty chat

10 Aug 2023 06:25

nah it’s type of playing stupid games winning stupid prizes if you really order something off of them. The consequences might be really dire. If I were in your shoes, I’d rather go report it again 😌

Bug bounty chat

10 Aug 2023 06:23

yes do you want to try?