Bug bounty programs
Hi y’all! I work at an open source company and we are looking at bug bounty providers to search for security vulnerabilities in our software. We worked with huntr.dev but they switched to AI/ML. Being open source, we can’t offer huge bounties so we would need something that works but is not super expensive just to try it out. Do you have some experience regarding that or someone you could recommend?
https://redd.it/1gy75uv
@r_bugbounty
I wanna your advice !
I am planning to take my eWPTX and CBBH certificates, but yesterday I came across an offer for eWPT. Do you advise me to take it?
https://redd.it/1gxy16f
@r_bugbounty
I found a bug in a program that i found on openbugbouny
I found my first bug finally after two months
the problem is i dont know how to write a report lol
I dont know how should it look i just included the steps of exploitation with some pics and how dangerous is the bug is it enough?
https://redd.it/1gxho2d
@r_bugbounty
Phantomjs with sudomy
I'm currently facing an issue while running Sudomy, where it fails to start PhantomJS properly, leading to incomplete scan results and missing screenshots. It seems like PhantomJS isn't starting as expected, and Sudomy is unable to take screenshots during the scan. i have installed all the libs needed for phantomjs
please help me with how do i use any other headless browser with sudomy or use something else instead of sudomy
https://preview.redd.it/th10qmdbeh2e1.png?width=1920&format=png&auto=webp&s=187f00c7d20b3158ac3b37ba6805c6479752a163
https://preview.redd.it/a0ts4gdbeh2e1.png?width=1920&format=png&auto=webp&s=0ab93180973f1d277353155586cf76015ddd3447
https://redd.it/1gxc618
@r_bugbounty
Company mentioned having a Bug Bounty on their website, but after submission via Bugcrowd, found it’s actually a VDP – Is this normal?
Hey everyone,
I came across a company that mentioned they have a Bug Bounty program on their website. They also provided an external submission form that directed me to submit vulnerabilities through Bugcrowd. So, I submitted a vulnerability I found, thinking it was part of a reward-based Bug Bounty.
However, after my submission, I realized that the program is actually listed as a Vulnerability Disclosure Program (VDP) on Bugcrowd, not a Bug Bounty program.
Has anyone else run into a situation like this? Is it common for companies to list their programs as Bug Bounties on their website but actually have them set up as VDPs on Bugcrowd? I wasn’t expecting a payout, but it’s a bit confusing.
Any insights or similar experiences would be greatly appreciated!
Thanks!
https://redd.it/1gx84ux
@r_bugbounty
vulnerable library
i found a website using bootstrap 3.4.1 which is deprecated and no longer supported can i just report that or do i have to actually exploit it?
https://redd.it/1gx2cz0
@r_bugbounty
Why don't people make their reports public on Google VRP leaderboard?
I was checking out https://bughunters.google.com/leaderboard
On both leaderboard and honourable mentions, i don't see many reports compared to the users visible.
You can click on reports column header twice to see the people who have made their reports public.
Why don't these bug bounty hunters especially the top ones make their reports public? Wont it be better and help them with credibility? What could be the reason? Does it give away their communication tricks or hacking styles?
Just curios, i will be responding to the comments, thanks for reading
https://redd.it/1gwyhou
@r_bugbounty
Little of topic, but how do you save your eyes from constantly watching screen?
https://redd.it/1gwjh8l
@r_bugbounty
Company closed 2 valid reports as accepted risk
I got 2 medium valid reports, already triaged, in scope, 6 months freezed on triaged status, today woked up with "resolved, accepted risk", and none payment, anyone knows someone at h1 support to help me to resolve this ticket?
The company is acting a lot anti-ethical.
https://redd.it/1gwh6et
@r_bugbounty
Writups
Hi all! I'm just wondering about everyone's processes when writing up bug bounty reports. Any tips, advice etc..
Thanks for your time 😊
https://redd.it/1gwc8pz
@r_bugbounty
IDOR reportable or not?
Hello guys, I hope you are having a great day.
I just wanted to take your opinion on an IDOR ı just found. There are 3 cookies; PHPSESSID, cid, and zat. As you can guess the PHPSESSID cookie is a session cookie and the others are not. cid is a uuid but weirdly both my accounts have the same cid cookie and I could not figure out what zat is. There is an edit profile path that takes POST requests and a bunch of other cookies. But only validates these 3 cookies. When I exchange the zat cookie between accounts I can change the bio part of the other account which is the IDOR. But, the problem is the zat cookie is not leakable and is a random value(ı think but not an uuid). I know since the cookie is not leakable, the vulns impact will be low but this is still an IDOR, right? Should ı report this or not?
https://redd.it/1gwajwf
@r_bugbounty
Possible Account Takeover Vulnerability After Unlinking Google Account
>**Possible Account Takeover Vulnerability After Unlinking Google Account**
**Summary:**
I encountered a scenario where I logged into an account, linked it to my Google account, logged out, and then logged back in using the same Google account. After unlinking the Google account from the account, I refreshed the page, but the account didn't log out. I was still able to change sensitive account information such as:
* Profile name
* Password
* Phone number
* Date of birth (DOB)
* Gender
**Steps to Reproduce:**
1. Log into an account (with any login method available).
2. Link the account with a Google account (OAuth or similar method).
3. Log out of the account.
4. Log back in using the Google account you just linked.
5. Unlink the Google account from the account.
6. Refresh the page or navigate to another section of the site.
7. The account doesn't log out after the unlinking process.
8. Attempt to modify account settings, including profile name, password, phone number, DOB, and gender.
9. Successfully make changes to the account without being logged out or asked to reauthenticate.
**Is this a vulnerability?**
It seems like there may be an issue with session handling after unlinking a Google account, which could potentially allow an attacker to change sensitive account data without proper reauthentication.
Would appreciate any thoughts or insights from the community on this. Could this be considered an account takeover vulnerability, or is there another explanation?
https://redd.it/1gvuy3d
@r_bugbounty
Is This a Vulnerability? Chrome and Firefox Google Account Linking Issue
>Is This a Vulnerability? Chrome and Firefox Google Account Linking Issue
Scenario Description:
1. I logged into **Account A** in Chrome.
2. I logged into **Account B** in Firefox.
3. I linked **Account B** with a Google account.
4. Then, I logged out and re-logged into Firefox using the **same Google account** linked to **Account B**.
5. After that, I **unlinked the Google account** from Account B in Firefox.
6. I then **linked the same Google account to Account A in Chrome**.
7. I refreshed **Account B** in Firefox, expecting it to log out, but it didn’t.
8. While still logged into Account B in Firefox, I was able to change the profile name and other details of that account.
Questions:
\- Is this a vulnerability?
\- Shouldn’t linking the Google account with Account A have invalidated the session of Account B in Firefox?
\- Are there security implications if session tokens remain valid even after unlinking and relinking accounts across different browsers?
https://redd.it/1gvu9vk
@r_bugbounty
Critical Bug Report Rejected: Insecure Session Management on Zomato
>Title: Critical Bug Report Rejected: Insecure Session Management on Zomato (2847018)
Body:
Recently, I reported a critical vulnerability to Zomato (2847018) related to insecure session management, which allowed unauthorized modification of sensitive user profile information (name, description, handle, website). The issue occurred when a request from an active session on Chrome was forwarded to Firefox (without an active session), allowing the changes without re-authentication.
Key Details:
- Bug Type: Session Management / IDOR
- Severity: Critical (as per my analysis)
- Steps to Reproduce:
1. Login to Zomato on Chrome with an active session.
2. Capture a request to modify sensitive profile data.
3. Forward the request to Firefox (no active session).
4. Observe the changes applied without re-authentication.
Impact:
\- Identity Impersonation: An attacker could change profile names and handles for malicious purposes.
\- Reputation Damage: Altering descriptions or linked websites could mislead users or damage reputation.
\- Session Weakness: Exploits improper session validation, a critical aspect of user security.
Proof of Concept (PoC):
I attached a detailed video demonstration with the report, showing how the vulnerability could be exploited.
Zomato's Response:
\- The issue was marked as Not Applicable after review.
\- Their rationale: "We do not see this as an immediate threat."
I respectfully disagreed, highlighting potential misuse scenarios, but the severity was downgraded to None, and the report was closed.
Reflection:
This experience raises a broader question: Are companies underestimating the impact of vulnerabilities related to user data integrity? While this bug might not lead to direct account takeover, the ability to impersonate or misrepresent users can cause serious harm, both personally and professionally.
Security researchers: How do you approach cases where valid issues are marked as low-impact or ignored? Should we push harder for reconsideration or focus on educating platforms about potential real-world consequences?
Would love to hear your thoughts and experiences!
https://redd.it/1gvrdcc
@r_bugbounty
Hello I am new to bug bounty and I have very little knowledge about bug bounty any suggestions where should I start first plz
https://redd.it/1gvnxb5
@r_bugbounty
Next step to learning Web hacking?
Hey guys right now im going through a road from nahamsec video to get into bbh or web hacking starting. I've finished HTB NETWORKING and THM HOW THE WEN WORKS. I planed to get into over the wire to learn more Linux command stuff maybe? Other basics/essentials I should learn besides bash/python to start hacking? It's going into H1 stuff or portswigger to soon? What else I'm I missing?
Thanks
https://redd.it/1gy5d6k
@r_bugbounty
SQL for Bug Bounty Hunting
How much knowledge is required of SQL for Bug Hunting.....please reply keeping in mind im just a beginner....in this long and hard journey ☺️
https://redd.it/1gxxagb
@r_bugbounty
JavaScript for web pentesters
Hello hunters just a quick advise because i am too confused for JavaScript in web penteration testing do we really need a very long course like a bootcamp or just the basiscs with oop concepts with some exercises in leet code and port swigger
https://redd.it/1gxfy1k
@r_bugbounty
Update on My HackerOne Report Marked as Duplicate
But the actual question is why don't they fix it already ?
https://redd.it/1gxa7z9
@r_bugbounty
i am beginner in bug bounty I want a partner who can tell me about it in detail
https://redd.it/1gx7dwl
@r_bugbounty
Exploit nginx 1.24.0 ?
Hi guys! I am searching for exploit version 1.24.0 so guys can U help me ??
https://redd.it/1gwzsg3
@r_bugbounty
tech layman found a way to see the “seen” status on instagram messenger even if the person hid it
hi, i’m not into coding or anything, but i found a way that one can very easily check if a instagram dm was seen or not. it is a really dumb thing, few steps, it’s on the user face (i’m an user)
a friend from computing told me “well, you can try this” and showed me meta bug bounty page (i wasn’t really familiar)
not sure if this should yield anything, maybe it was already reported, maybe not a big issue at all for them. just wrote to them, described how i did it and sent some pictures to exemplify.
my question here would be is how much of an issue this could be. i find it could be at least distrustful for those who opted not show anything in their privacy settings.
that’s about it, good job for you all, just learned how much people make a living out of this so it is a nice job keeping the internet better for most of us (:
https://redd.it/1gwx54f
@r_bugbounty
A Look Back: Insights from Our Managed Bug Bounty Program
https://blog.compass-security.com/2024/11/a-look-back-insights-from-our-managed-bug-bounty-program/
https://redd.it/1gwj2yo
@r_bugbounty
What’s this XBOW? AI vulnerability scanner?
https://redd.it/1gwchlz
@r_bugbounty
Nmap Scan Results Not Replicated in Target Website
I ran Nmap scan with the command nmap -p 80,443 --script vuln target.com. It showed vulnerabilities, but when I try to access them, I get a "page not found" error. I'm appending the files names in the scan result to the URL (like target.com/BackupConfig.php), but I still get a "page not found" error. As I'm new to this, I'm wondering if I'm missing something. Could someone please help me understand what I might be doing wrong?
Below are scan results and I'm not able to open any file or folder.
/BackupConfig.php: NETGEAR WNDAP350 2.0.1 to 2.0.9 potential file download and SSH root password disclosure
/Info.live.htm: Possible DD-WRT router Information Disclosure (BID 45598)
/cgi-bin/config.exp: Cisco RV320/RV325 Unauthenticated Diagnostic Data & Configuration Export (CVE-2019-1653)
/jmx-console/: Authentication was not required
/zip/: Potentially interesting folder
/_docs/: Potentially interesting folder
https://redd.it/1gwa336
@r_bugbounty
How to get BURP SUITE PROFESSIONAL free trial
well i am student ,i don't have enough money to buy burp suite professional ,so i wanted to try the free trial ,i provided my university email address to make a free trial request . I received a email saying you request for burp suite professional is not approved . is there any way that i can get burp suite professional for fee , i mean get access to the free trial .
I am new to bug hunting , i am learning stuff on portswigger website , to solve some of their labs i need to use burp professional (like burp collaborator ) . so i just want to try burp professional .
any help ?
https://redd.it/1gw7jvj
@r_bugbounty
I am lost
Can you provide me with a roadmap to understand the basics of the web and vulnerabilities? I feel completely lost. Some people say that I need to learn all the web languages and so on. I want an effective roadmap through which I can understand the fundamentals and be able to find vulnerabilities.
https://redd.it/1gvtwbu
@r_bugbounty
Should you report xmlrpc on a website which can make pingback requests to external services and bypass some captcha validations ?
https://redd.it/1gvr7ll
@r_bugbounty
How to tell if something is a vulnerability or not? 🤔
Hey, everyone!
Recently, I found a "bug" in an application where the banking agency number was exposed in the URL. On top of that, the number was iterable, allowing me to enumerate users based on it. I thought, "This seems dangerous, right?!" But to my surprise, when I reported it, my submission was closed as informative. 😐
I’m more used to reporting straightforward vulnerabilities like XSS, so it’s hard for me to judge whether something like this actually qualifies as a security issue.
So, I wanted to ask:
\- Would this be considered a vulnerability?
\- How do you evaluate situations like this?
\- Are there clear criteria, or does it always depend on the app’s context and the potential impact?
I’d love to hear your thoughts! I want to avoid wasting time on reports that get dismissed. Any advice is appreciated! 🚀
https://redd.it/1gvpkqq
@r_bugbounty
CEH vs MCA(CS)
I have 2 years of experience in VAPT and i don't have any mca nor any certificate so what should i do for a better future opportunities CEH or 2years MCA in cyber security from any average university.
I know the OSCP will be best for me as 2 years experience but currently i am not financially ready for that certificate.
Can someone guide in this?
https://redd.it/1gvke6d
@r_bugbounty
