Is a Medium subnoscription worth it?

I am just starting out in bug bounty and have seen a lot of write ups / blog posts from Medium. Some have been free to access others are behind their members only paywall. Is it worth it to get the membership? Do a majority articles related to cybersecurity and bug bounty have substance or are they most flash and a waste of money?

https://redd.it/1pwovsr
@r_bugbounty

How realistic is it for a beginner to earn $500 per month after three months of study?

Is it true that the first few months of bug bounty won't make any money? But if someone studies hard, how long will it take them to earn around $500 per month from bug bounty? Can these bugs help me get a job in cybersecurity more easily, even as a beginner?Thanks in advance

https://redd.it/1pwpo67
@r_bugbounty

Submitted a serious access control bug — no reply yet. Looking for thoughts on duplicate chances & bounty range


Hey folks,

I recently submitted a security report to a large bug bounty program involving a broken access control / session invalidation issue.

In short (keeping details vague):

A contributor whose permissions were revoked could still perform unauthorized actions as long as an editor session remained active

Actions were confirmed to affect the owner’s account (not just UI-level changes)

The issue goes beyond cosmetic changes and allows limited destructive actions

Once the session is refreshed, access is correctly revoked — so it looks like failure to immediately invalidate active sessions

The report is currently “New” with no response yet (it’s been a few hours).
The program only lists P1 and P2 reward ranges, no P3/P4.

I wanted to get some community perspective on a few things:

Response timing – Is it normal to hear nothing in 3 days?

Duplicate likelihood – For bugs like permission persistence / session invalidation, are these commonly duplicated or still often accepted if well-demonstrated?

Severity expectation – Would you generally consider this closer to:

Broken Access Control

Failure to Invalidate Session

Bounty expectations – In programs that only specify P1/P2, does that usually mean:

Everything valid gets mapped into P1/P2, or

Lower-severity valid bugs sometimes get no reward?

Any advice on how triagers usually look at these bugs would be appreciated.

Not looking for hype — just trying to calibrate expectations and learn from others’ experience.

Thanks in advance 🙏

https://redd.it/1pwtf3s
@r_bugbounty

email change + password change before confirmation create unexpected auth behavior

I’m logged into my account using Email A. I start changing my email to Email B, and a confirmation link is sent to Email B.

Before confirming that link, while I’m still logged in as Email A, I change my account password.

I then attempted to log in using Email B with the new password- this failed.

Then i confirmed the link which was sent to Email B

After confirming, I’m able to log in using Email B + the password I set earlier (the password that was changed before Email B was verified).

Is this expected behavior, or should password changes be blocked or re-verified until the new email is confirmed?

https://redd.it/1pwu0cd
@r_bugbounty

Burgerking

Hello Community,

i found some seriouse vulnerability in bugerking that leads to PII leaks. For weeks now i am waiting on response but nothing so far. Anyone got an advice on how to get in touch with them?

https://redd.it/1pwvzga
@r_bugbounty

Stuck in "Signal Hell": Analyst dismissed a successful 10 ETH theft on a Sepolia fork as "Theoretical."

_Note: I am a native Japanese speaker using translation. I specialize in low-level languages and CTFs._

I’m looking for advice on a "false negative" involving a major Web3 library (listed as a Critical-eligible asset). I'm currently stuck in "Signal Hell" due to mistakes when I was a beginner, and now my valid findings are being ignored by triage.

**My Background:** I started as a beginner on bug bounty platforms and unfortunately tanked my Signal early on with OOS reports. However, coming from a background in **CTF, RoboCup Junior, and C/C++**, I shifted my focus to deep source code analysis. Recently, I discovered a **Critical privilege escalation** in a major Smart Contract Account library.

**The Evidence Provided:** I provided a comprehensive report to the project, including:

\- **A complete Foundry (Forge) PoC.**

\- **A specific Fork URL for the Sepolia Testnet** where the official bytecode is deployed.

\- **Proof of Exploit on Fork:** I successfully executed the exploit on a Sepolia fork. To prove the logic holds, I demonstrated draining assets to the attacker's address.

\- **Execution Trace:** The trace clearly shows the victim's account calling the attacker's fallback with 10 ETH (simulated via `vm.deal` on the victim for impact proof).

\- **A video recording** showing the exploit running in real-time, resulting in asset drainage and permanent admin lockout on the fork environment.

**The Response from Triage:** Despite the evidence, the analyst closed it as **Informative**, stating:

\> _"The attack chain is based on theoretical code interaction... the PoC appears to simulate behavior rather than exploiting a true vulnerability... Multi-layered protections are in place."_

They seem to believe that because I used `vm.deal` to set the victim's balance for the test, the vulnerability itself is "simulated." They are completely ignoring the fact that the **logic** being exploited is the actual live bytecode from the testnet.

**My Question:** Since my Signal is negative, I don't have the "Request Mediation" button on the platform.

1. How can I get a specialist who understands Foundry traces and EVM quirks to review this?

2. Is there any way to escalate when the triage doesn't recognize a Fork-test against live bytecode as "practical" proof?

3. Am I stuck in "Signal Hell" forever, even with a working Critical exploit?

https://redd.it/1px04sa
@r_bugbounty

Question about SQL and xss

Is there still any SQL and XSS injection?? It's so hard to find one for me, sometimes I think here might be xss, but the waf blocked me

https://redd.it/1pxc4l2
@r_bugbounty

Should i start in SOC or Penetration testing

Hi, i am really confused to get into SOC and land a good job entry level and at this while do bug hunting and study offensive or get into offensive directly. My problem that i like the offensive way but in my country or in some areas, the offensive entry level jobs are few and needs some long time studying and practicing more the defensive, qnd i need to get into a job soon as i want experience and money for certificates, if can someone give me such an advice i would be so grateful thank u.

https://redd.it/1pxd1n7
@r_bugbounty

Full Account Takeover via Reusable Opaque Account Identifier (Missing Server-Side Invalidation)

Hey guys, I need clarification on whether the scenario mentioned below is a real, valid bug, rather than a P5, N/A, or non-issue.

The application uses an opaque cookie value (Opaque_target_en) as the sole identifier for determining user account identity.
Although a new identifier is issued on each login, previously issued identifiers are never invalidated.
By reusing an older identifier in the cookie, an attacker can fully impersonate another user’s account, even after the victim logs out and receives a new identifier.
This allows unauthorized access to the victim’s personal data and account functionality.
The issue represents a broken authentication and access control flaw caused by missing server-side token invalidation.

Although possession of the opaque identifier is required to exploit the issue, this identifier is an application-generated authentication artifact whose lifecycle, scope, and revocation are solely enforced server-side. The vulnerability arises from the server continuing to trust previously issued identifiers without validation or invalidation, rather than from the method by which the identifier is obtained.

https://redd.it/1pxkpi4
@r_bugbounty

Permanent OAuth Account Takeover via Email Preference Collision

Hey guys, I need clarification on whether the scenario mentioned below is a real, valid bug, rather than a P5, N/A, or non-issue.



Summary
An attacker can achieve a permanent account takeover against any user who changes their email preference, due to a flawed authentication design where the system uses the email preference field for OAuth Google login lookups. This enables the attacker to bind the victim’s Google account to their own attacker-controlled account after the victim performs a legitimate email update. Once taken over, the victim is persistently routed into the attacker’s account every time they attempt to log in using Google OAuth—even across multiple logout and login cycles.

https://redd.it/1pxmlhz
@r_bugbounty

Is information disclosure with wp-json endpoints considered?

Found out an interesting endpoint /wp-json/wp/v2/users of a service leaking some name slugs avatars link

Found a potential email from slug thinking it's for a username it does leak with Gmail-com wordpress login proves the email exists but password is not exposed

Will it classify as information disclosure the bug bounty accepts some information disclosure vuln
But a case like this will it be accepted?

Im really new to bug bounty so some tips in these scenarios can be appreciated.

Thanks!

https://redd.it/1pxpuxn
@r_bugbounty

built the best no code opensource security automation platform (kinda)

Most bug bounty hunters I know rely on a bunch of different tools. Nuclei for templates, maybe Semgrep for code analysis, plus a lot of manual checking. It works, but everything feels scattered.

I was doing the same thing. Scripts everywhere, some half broken, some forgotten. Instead of adding yet another noscript, I decided to build something that actually helps orchestrate the tools properly.

That turned into ShipSec Studio, which we open sourced. It’s a no-code way to chain security tools together using a drag and drop workflow builder, without writing brittle Python or bash glue.

What people are using it for:

* Run Nuclei templates and automatically follow up with deeper analysis
* Recon workflows that combine multiple tools and unify results
* Mass scanning with Trivy or similar scanners on schedules
* Scanning every build before release and auto-creating tickets
* Reusable, versioned workflows you can share with a team

Repo: [github.com/shipsecai/studio](http://github.com/shipsecai/studio)
Live: [studio.shipsec.ai](http://studio.shipsec.ai)

Feel free to try it out. If it’s useful, a star is appreciated. If you run into issues or have ideas, DM me. I’m iterating fast.

https://redd.it/1pxsvih
@r_bugbounty

smuggler v1.1 tool false positive

Anyone here been using smuggler v1.1 tool?

Got this results, however when i tried running it again it is not flagging anymore. Already encountered similar results from other target, flag once then running the scan again.

Results on 1st run:

[endspace-ff\] : OK (TECL: 0.14 - 501) (CLTE: 0.13 - 501)

[xprespace-ff\] : Potential CLTE Issue Found - GET @ hxxps://endpoint.redacted.com/ - default[.\]py

[CRITICAL\] : CLTE Payload: /home/kali/Documents/python-noscripts/tools/smuggler/payloads/https_endpoint_redacted_com_CLTE_xprespace-ff.txt URL: hxxps://endpoint.redacted.com/

[endspacex-ff\] : OK (TECL: 0.16 - 501) (CLTE: 0.15 - 501)


Results after retry:

[postspace-ff\] : OK (TECL: 0.13 - 400) (CLTE: 0.13 - 400)

[prespace-ff\] : OK (TECL: 0.34 - 200) (CLTE: 0.42 - 200)

[endspace-ff\] : OK (TECL: 0.13 - 501) (CLTE: 0.12 - 501)

[xprespace-ff\] : OK (TECL: 0.35 - 200) (CLTE: 0.74 - 200)

[endspacex-ff\] : OK (TECL: 0.10 - 501) (CLTE: 0.13 - 501)



https://redd.it/1pxxftn
@r_bugbounty

Public programs are too competitive

Is it a good strategy to build up my reputation through VDP for a while and then earn bounty money once I get invited to private programs?

More importantly, do you actually get invited to private programs just by building a reputation through VDPs?

https://redd.it/1pye7nw
@r_bugbounty

Any better ways for finding XSS and IDOR?

So basically, most of my work relies on automated tools. First, I use parameter discovery tools and save the results in a folder. Then I crawl for IDOR-related parameters. For XSS, I use Dalfox, which automates payload testing on the parameters file. Sometimes I also do manual testing when I find parameters that look really promising.
Is this a good approach, or do you have better tools or workflows to recommend? There are literally so many subdomains to hunt, and even more vulnerabilities to figure out.

https://redd.it/1pyenp4
@r_bugbounty

Weekly Collaboration / Mentorship Post

Looking to team up or find a mentor in bug bounty?

Recommendations:

Share a brief intro about yourself (e.g., your skills, experience in IT, cybersecurity, or bug bounty).
Specify what you're seeking (e.g., collaboration, mentorship, specific topics like web app security or network pentesting).
Mention your preferred frequency (e.g., weekly chats, one-off project) and skill level (e.g., beginner, intermediate, advanced).

Guidelines:

Be respectful.
Clearly state your goals to find the best match.
Engage actively - respond to comments or DMs to build connections.

Example Post:
"Hi, I'm Alex, a beginner in bug bounty with basic knowledge of web vulnerabilities (XSS, SQLi). I'm looking for a mentor to guide me on advanced techniques like privilege escalation. Hoping for bi-weekly calls or Discord chats. Also open to collaborating on CTF challenges!"

https://redd.it/1pypyw6
@r_bugbounty

Can someone provide the resource link for these books.ie, GitHub repository?

1. The Linux Command Line: A Complete Introduction
Author: William Shotts
2. The Basics of Hacking and Penetration Testing
Author: Patrick Engebretson
3. CompTIA Network+ Certification All-in-One Exam Guide (Exam N10-008 or N10-007)
Author: Mike Meyers
4. Real-World Bug Hunting: A Field Guide to Web Hacking
Author: Peter Yaworski
5. The Hacker Playbook 3: Practical Guide to Penetration Testing
Author: Peter Kim


https://redd.it/1pz7y57
@r_bugbounty

my approach in bug bounty

I literally waste my 2025 due to lack of discipline and misleading approach. In starting of 2025 i just waste the time of doing only tryhackme and other labs, and currently I decided to only read disclosed writeups and doing bug hunting on real world and in doing bug bounty I only pick 1 target in bugcrowd and observe how the application works like i go everywhere in application fetch every request with the help of burpsuite and see every paramter and understand each parameter working and also oberve how application react when I do the normal user actions and when i perform the unexpected actions. But in these I can't able to do xss because I only read xss blogs but doing bug hunting as i mentioned above due to this I am not able to test xss. I stucked that what I need to do, is my approach is in a right way or need some better modifications

https://redd.it/1pz8va8
@r_bugbounty

Is this suppose to happen..?

I recently just got home from college and I keep hearing this noise but I didn’t know where it was the first night and come the second night I had my dad check my room and he checked three different times and there was nothing around so now it’s the fourth night and there’s this running or like scratching noise inside my drawer, but there’s nothing inside the drawer or around or under so I believe that it’s inside the wood around the dressers. Do we know what this could be? should I be scared? or do I go to bed?

https://redd.it/1pzayqc
@r_bugbounty

From Desktop To Macos

hello guys i wanna ask you about switching from linux to macbook i have desktop pc is ryzen 5 3600 and rtx 3060 12 g and 16g ram and i want to switch to MacBook air m2 16 2022 because i got bored from learning in the same place i wanna start going outside to learn there’s no problem with macos

https://redd.it/1pzbe8z
@r_bugbounty