Help me in bug bounty

Hey guys. In my friend circle, they call me hacker. But in reality, i'm not a one. I hate the word hacker because there are lot of tons of stuffs to do something in cyber security. You need to be tough guy. Just that single word is not enough to express the hardwork.

Now I started bug bounty a year ago, finding my first bug which was duplicate. But after that I tried hard and the gained more knowledge on bug bounty. But now I didn't find my first valid bug.

Everytime I try to do bug bounty, i came across new technology which after I gave up. I have hunger to hunt but not the patience when the tech is unknown.

The thing I want to do is I need to do bug bounty and find my first valid bug with collaboration where I want to know the real bug hunter mindset from closest. I don't have friends doing bug bounty. So I need someone can guide me, I was frustrated with tons of knowledge on self-learning while most of the hunter prefers it.
H1 - https://hackerone.com/aashifm
Bc - https://bugcrowd.com/h/Aashif

Anyone help me guys.

https://redd.it/1rbfh0r
@r_bugbounty

Talented people from other countries challenges

I’ve seen stories of a lot of talented people in bug bounty that have discovered some really big bounties that could’ve even changed their lives but simply because they were from a third world country etc they were ineligible and those companies still go ahead with the remediation without giving a single cent to those talented individuals. Am a Cyber sec student final year am not as talented as them what I lack they have and what I have they lack if I were to learn from them directly and apply those skills and when am getting paid share my profits with them bcz technically they were my teachers would that be unethical? Or is it a win win situation.

https://redd.it/1rblg1g
@r_bugbounty

Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1rfe0bv
@r_bugbounty

Weekly Collaboration / Mentorship Post

Looking to team up or find a mentor in bug bounty?

Recommendations:

Share a brief intro about yourself (e.g., your skills, experience in IT, cybersecurity, or bug bounty).
Specify what you're seeking (e.g., collaboration, mentorship, specific topics like web app security or network pentesting).
Mention your preferred frequency (e.g., weekly chats, one-off project) and skill level (e.g., beginner, intermediate, advanced).

Guidelines:

Be respectful.
Clearly state your goals to find the best match.
Engage actively - respond to comments or DMs to build connections.

Example Post:
"Hi, I'm Alex, a beginner in bug bounty with basic knowledge of web vulnerabilities (XSS, SQLi). I'm looking for a mentor to guide me on advanced techniques like privilege escalation. Hoping for bi-weekly calls or Discord chats. Also open to collaborating on CTF challenges!"

https://redd.it/1rclbg7
@r_bugbounty

Prompt Rewiter

https://reddit.com/link/1rgozuo/video/iqw51ueby4mg1/player

Hello guys! Today I want to show you my project that I built to help bug hunters and pentesters use AI without running into issues. This project rewrites your prompts—from ones that might get rejected by AI to ones that are more likely to be accepted. Check out this tutorial video

https://redd.it/1rgozuo
@r_bugbounty

bugsnag api key exposure

hey all i found a bugnsag api key exposure ik its not considered as a bug by bug bounty program but i created a noscript which does a largescale log pollution which exhasut bugsnag monthly quota and i was able to set severity level to error and triggering automated downstream alert with all these impact is it now considered as a valid vuln worth for a bounty?

https://redd.it/1rgt6r5
@r_bugbounty

New Hacker Spotlight with Marc-Oliver Munz (c1phy)!
https://redd.it/1rg0otw
@r_bugbounty

KYC in Yeswehack different from bank name

Hi,

in yeswehack kyc process I used my passport last and first names . However in my bank account the last name is different. Will this be an issue when I try withdrawal? how to fix this?

https://redd.it/1rft0ba
@r_bugbounty

Human-Led Bug Hunting and Report Validation with an AI Agent

I have been building a tool to offload appsec testing and report review, without removing me from the center of testing and judgment. I think LLMs are useful for making easy work easier, but still not good enough for fully autonomously complex security testing.

I’d love feedback on this: https://github.com/go-appsec/toolbox

You can run `go-appsec/toolbox` standalone or with Burp (via their MCP extension). In either case it gives an agent shared tools for proxy history, request replay/mutation, OAST, as well as utilities for reviewing the interactions for reflections, changes, encoded values, etc.

What I think makes `go-appsec/toolbox` different is the workflow model. Agents like to work in one of two modes:

1. Do everything for you it can

2. Do nothing for you and step you through the process like you're a child

\#1 is skips over what the agent can't do, or doesn't have the problem context to try. And #2 is not helpful at all. I built this to stay in the middle: I handle auth/UI and direct the process, while the agent handles permutations, monotony, and review support.

It hasn’t necessarily made me faster, but it has made my testing better. I’ve found hidden details I probably would have missed, and some tasks much easier (particularly in report validation).

If you try it, I’d really value blunt feedback, positive or negative. Depending on feedback I plan to continue to expand to other workflows, and refine how this tool works. Thank you!

https://redd.it/1rhdb9a
@r_bugbounty

Making live connectivity platform for all level of researchers in one place

Hey fellow hunters, I’ve been doing bug bounty for a while,i always want to build a platform which lively connects every level of researcher in one place .Bug bounty is one of the few tech fields without any real support system.
There’s no union, no labor association, and no shared help desk.so i made a chat platform called https://greyhat.online. .i honestly want review.. to right now for login use any username and password 5char plus.




Key points:
- Anyone can ask doubts and help others (no invite-only gates
- Privacy-focused: no real names required, minimal data collection
- Basic protections in place (rate limiting, abuse prevention, Zero Trust


Features will be added in the time period of 3 months will be
1) a well supportive mental care among the community .this is must needed we all faced such situations in bug bounty
2) free advance lab for everyone
3) forum with so many career guidance etc
4) transparency and can give voice because we face some ejection just because traiger thinks the eligible finding not eligible especially with new hunters.


Thank you

https://redd.it/1rfiaqs
@r_bugbounty

iOS bug bounty please help

I dont understand. Programs will list their iOS app store app. But then they have SSL pinning so you cant route traffic through burp. They also say no jailbreak so you cant decrpyt the ipa and bypass ssl pinning. Am I missing something? how is it possible to test iOS in 2026? No jailbreak, it is possible to get ipa but its encrypted so cant bypass SSL pinning. Any tips or help please?

https://redd.it/1rf36pj
@r_bugbounty

Immunefi experience

Just here to vent a little bit and share my Immunefi experience so far.

I am a bug bounty hunter for a couple of years now, mainly on HackerOne.

Recently I found out you can earn good money on Web3 targets. I first mainly focussed on DoS attacks, because they are easy to PoC, as it really helps to have a video in your submission when reporting to HackerOne. This went quite well, got some valid bugs here and there and some reports currently confirmed/in triage.

My colleague mentioned Immunefi, because they mainly have Web3 targets. So I started hacking there 2 weeks ago. It didn't start great, the first report was in a feature that wasn't in use yet, so it was closed. Although that doesn't say it isn't a good report, they even have a whole blog post about it: https://immunefisupport.zendesk.com/hc/en-us/articles/27871612917649-Attacks-Involving-Undeployed-Code-on-GitHub-or-Equivalent-for-Smart-Contract-Impacts. But after that I became a little more careful, to not report that anymore and better save that for later when it is introduced on mainnet.

Then I had a confirmed finding, but later somehow the triager of the program started to question my PoC, while I had a clear video showing what was happening. But that was still open, together with another medium finding, which I did not hear anything about for 2 weeks either.

After that I had a few duplicates, 2 or 3 and a finding which didn't impact mainnet as much. This is something I can hardly test, because in my PoC on testnet the node went down, but fair enough, this happens.

Yesterday I decided to report another finding, and this morning I got the following message:

|Thank you for your participation on Immunefi. We're reaching out to inform you that your account was autobanned due to your submissions falling below our minimum accuracy requirements. As a result, any active reports associated with your account will now be closed. This decision is final and any attempt to create a new account will also result in a ban. Thank you for your understanding, The Immunefi Team|
|:-|


So somehow my latest report got closed, but I never saw the reason as I can't login. Could also be a duplicate, but my account is banned so can't even see why.

I have been hunting on Immunefi for hours, you could call it full-time, last two weeks, so I am pretty cranky about the situation. The platform is not really friendly towards people just starting out on their platform. I get it that you ban people that spam programs, beg for bounties or report random AI slop. But this is pretty harsh, you could better flag accounts for a manual check instead of autobanning.

I've contacted support today and hope for a good outcome, as I still have 2 mediums open (which are auto closed now?) and a medium finding in draft.

Anyone with the same experience, how did that turn out?

https://redd.it/1rema1i
@r_bugbounty

Transparency Matters: An Appeal for Fairness in the Bug Bounty Ecosystem

https://redd.it/1rhph0w
@r_bugbounty

api key exposure

hey while hunting i found a api keyy in a platforms source page which was showing data like the target account's user id backend search id primary host password and many other things of any account on any specific location is that a vuln?

https://redd.it/1rhsq39
@r_bugbounty

Reflected Cookie Input Without Sanitization
https://redd.it/1rigu3f
@r_bugbounty