I found a bug validated by a triager and lost 5 points

Chain of bugs that lead to something high/crit. The bug got duplicated and i lost 5 points which means it was a duplicate of a na report

But I dont understand because its not out of scope

My theory is that they took one of the bug of the chain as a duplicate ( bug isolated has no impact) so they could close the bug and not pay me

I asked remediation and to be invited to the duplicate report

But I know I will have 0 responses :)

Some program treat you like slave thats crazy

Is there any other platform that are better than hackerone?

https://redd.it/1pvyl6a
@r_bugbounty

My report is closed informative i believe shouldn't be

Hi everyone, I’d appreciate a sanity check from the community.

I discovered a session persistence issue where sessions are not invalidated after logout or password reset.

When I reported this, triage responded that session persistence alone is non-impactful because once a session is compromised, keeping it active does not add new privileges beyond the initial compromise.

I then demonstrated a chained scenario: using the still-valid compromised session, the attacker invites an attacker-controlled account to the victim’s workspace and grants editor access.

The attacker can then log in with their own account and retain long-term workspace access, independent of the stolen session.

Triage responded with the same reasoning, stating that no new privileges were gained beyond what the compromised session already allowed.

My question is:
Does converting a stolen session into persistent, attacker-controlled workspace access (via invitation/role assignment) constitute a meaningful security impact or privilege escalation?

Or is triage correct in treating this as non-impactful because the attacker already had the same permissions via the stolen session?

I’m trying to understand whether this chaining is considered a valid security impact or if I’m misunderstanding the boundary here.

https://redd.it/1pw0ldi
@r_bugbounty

Pinakastra: AI-Based Penetration Testing Framework

I've developed Pinakastra, an open-source penetration testing framework that integrates AI-based exploitation testing for automated vulnerability discovery. The framework automates the complete security assessment pipeline from reconnaissance through active exploitation.



The tool performs multi-source subdomain enumeration using eight passive intelligence sources, conducts live host detection, and executes AI-based vulnerability testing for cross-site noscripting, SQL injection, server-side request forgery, insecure direct object references, and path traversal vulnerabilities. The AI component analyzes target responses and generates context-aware bypass payloads designed to evade web application firewalls.



Built in Go with local AI inference, eliminating external API dependencies. The architecture produces structured reports in JSON, CSV, and text formats suitable for security operations workflows.



Contributions are welcome. I'm looking for collaborators to expand detection capabilities, add new vulnerability modules, and optimize performance. Fork the repository and submit pull requests to help improve this tool for the security community.



GitHub: https://github.com/who0xac/Pinakastra



Feedback on detection methodology and additional vulnerability classes to prioritize is appreciated.

https://redd.it/1pw20bq
@r_bugbounty

Site not invalidating sessions in other devices after password change.

I'm new to bug bounty. So instead of deep technical bugs i was looking for logical flaws.
I found that a site was not invalidating sessions even after password change.

For example, if iam logged into browser A, B,C and even another device with same account, and i changed my password from browser A, I was never logged out from other sessions and could technically make any changes.

That means all other browser/devices sessions were still valid even after password change from browser A.

I reported this and it was marked as informative saying:
"Session persistence after account changes is bad practice at worst, not a security vulnerability."

I even gave a reference of a public report having the exact same issue and it was triaged. Guess those won't do the job.


Was it always meant to be informative or not?

https://redd.it/1pw0dc2
@r_bugbounty

XSS is no longer easy anymore

XSS Is No Longer Easy


XSS today is not what it was years ago, was often low-hanging fruit. Poor input validation, raw reflections, and weak frameworks made it easy to inject JavaScript. Today, most modern applications are built with security in mind from the start.

Because of CSP + Frameworks +WAFS

finding XSS means understanding browser behavior, JavaScript execution contexts, CSP bypasses, encoding differences, and framework internals. It rewards skill, patience, and reasoning—not payload dumping.

https://redd.it/1pw5xpl
@r_bugbounty

How do I start?

Hello, redditors. If you're reading this, thank you. Basically, I'm 18 years old and I casually started looking for vulnerabilities in 2022. I have a shallow understanding of what vulnerabilities to look for and how (I want to make money from this.)

I wanted to know if you recommend any YouTube channels that teach how to do this, or websites. Thank you!

https://redd.it/1pwc8zg
@r_bugbounty

A small contribution to this field

I HAVE CREATED A PASSIVE RECON SITE(IT NEED SOME CHANGES TO DO) SUGGEST ME SOME FUNCTIONALITY THAT I CAN INTEGRATE IN IT

https:\/\/open-sight-six.vercel.app\/

https://open-sight-six.vercel.app/

https://redd.it/1pwc0a4
@r_bugbounty

how to guarantee that i will be able to find bugs after i learn ?

I want to learn cybersecurity but I find many people saying that they fail to find bugs for months.

What should I learn or do to be able to think out of the box and not struggle to find bugs after learning?

https://redd.it/1pwpoyp
@r_bugbounty

How much do you make per hour ?

I’m an attorney and studies CS as a minor in undergrad ( went half way then dropped because i could graduate early). However I don’t want to lose the skills and want to brush up. Would you say bug bounties are worth it for someone already making 6 figures ?

https://redd.it/1pwqqwt
@r_bugbounty

Is a Medium subnoscription worth it?

I am just starting out in bug bounty and have seen a lot of write ups / blog posts from Medium. Some have been free to access others are behind their members only paywall. Is it worth it to get the membership? Do a majority articles related to cybersecurity and bug bounty have substance or are they most flash and a waste of money?

https://redd.it/1pwovsr
@r_bugbounty

How realistic is it for a beginner to earn $500 per month after three months of study?

Is it true that the first few months of bug bounty won't make any money? But if someone studies hard, how long will it take them to earn around $500 per month from bug bounty? Can these bugs help me get a job in cybersecurity more easily, even as a beginner?Thanks in advance

https://redd.it/1pwpo67
@r_bugbounty

Submitted a serious access control bug — no reply yet. Looking for thoughts on duplicate chances & bounty range


Hey folks,

I recently submitted a security report to a large bug bounty program involving a broken access control / session invalidation issue.

In short (keeping details vague):

A contributor whose permissions were revoked could still perform unauthorized actions as long as an editor session remained active

Actions were confirmed to affect the owner’s account (not just UI-level changes)

The issue goes beyond cosmetic changes and allows limited destructive actions

Once the session is refreshed, access is correctly revoked — so it looks like failure to immediately invalidate active sessions

The report is currently “New” with no response yet (it’s been a few hours).
The program only lists P1 and P2 reward ranges, no P3/P4.

I wanted to get some community perspective on a few things:

Response timing – Is it normal to hear nothing in 3 days?

Duplicate likelihood – For bugs like permission persistence / session invalidation, are these commonly duplicated or still often accepted if well-demonstrated?

Severity expectation – Would you generally consider this closer to:

Broken Access Control

Failure to Invalidate Session

Bounty expectations – In programs that only specify P1/P2, does that usually mean:

Everything valid gets mapped into P1/P2, or

Lower-severity valid bugs sometimes get no reward?

Any advice on how triagers usually look at these bugs would be appreciated.

Not looking for hype — just trying to calibrate expectations and learn from others’ experience.

Thanks in advance 🙏

https://redd.it/1pwtf3s
@r_bugbounty

email change + password change before confirmation create unexpected auth behavior

I’m logged into my account using Email A. I start changing my email to Email B, and a confirmation link is sent to Email B.

Before confirming that link, while I’m still logged in as Email A, I change my account password.

I then attempted to log in using Email B with the new password- this failed.

Then i confirmed the link which was sent to Email B

After confirming, I’m able to log in using Email B + the password I set earlier (the password that was changed before Email B was verified).

Is this expected behavior, or should password changes be blocked or re-verified until the new email is confirmed?

https://redd.it/1pwu0cd
@r_bugbounty

Burgerking

Hello Community,

i found some seriouse vulnerability in bugerking that leads to PII leaks. For weeks now i am waiting on response but nothing so far. Anyone got an advice on how to get in touch with them?

https://redd.it/1pwvzga
@r_bugbounty

Stuck in "Signal Hell": Analyst dismissed a successful 10 ETH theft on a Sepolia fork as "Theoretical."

_Note: I am a native Japanese speaker using translation. I specialize in low-level languages and CTFs._

I’m looking for advice on a "false negative" involving a major Web3 library (listed as a Critical-eligible asset). I'm currently stuck in "Signal Hell" due to mistakes when I was a beginner, and now my valid findings are being ignored by triage.

**My Background:** I started as a beginner on bug bounty platforms and unfortunately tanked my Signal early on with OOS reports. However, coming from a background in **CTF, RoboCup Junior, and C/C++**, I shifted my focus to deep source code analysis. Recently, I discovered a **Critical privilege escalation** in a major Smart Contract Account library.

**The Evidence Provided:** I provided a comprehensive report to the project, including:

\- **A complete Foundry (Forge) PoC.**

\- **A specific Fork URL for the Sepolia Testnet** where the official bytecode is deployed.

\- **Proof of Exploit on Fork:** I successfully executed the exploit on a Sepolia fork. To prove the logic holds, I demonstrated draining assets to the attacker's address.

\- **Execution Trace:** The trace clearly shows the victim's account calling the attacker's fallback with 10 ETH (simulated via `vm.deal` on the victim for impact proof).

\- **A video recording** showing the exploit running in real-time, resulting in asset drainage and permanent admin lockout on the fork environment.

**The Response from Triage:** Despite the evidence, the analyst closed it as **Informative**, stating:

\> _"The attack chain is based on theoretical code interaction... the PoC appears to simulate behavior rather than exploiting a true vulnerability... Multi-layered protections are in place."_

They seem to believe that because I used `vm.deal` to set the victim's balance for the test, the vulnerability itself is "simulated." They are completely ignoring the fact that the **logic** being exploited is the actual live bytecode from the testnet.

**My Question:** Since my Signal is negative, I don't have the "Request Mediation" button on the platform.

1. How can I get a specialist who understands Foundry traces and EVM quirks to review this?

2. Is there any way to escalate when the triage doesn't recognize a Fork-test against live bytecode as "practical" proof?

3. Am I stuck in "Signal Hell" forever, even with a working Critical exploit?

https://redd.it/1px04sa
@r_bugbounty

Question about SQL and xss

Is there still any SQL and XSS injection?? It's so hard to find one for me, sometimes I think here might be xss, but the waf blocked me

https://redd.it/1pxc4l2
@r_bugbounty

Should i start in SOC or Penetration testing

Hi, i am really confused to get into SOC and land a good job entry level and at this while do bug hunting and study offensive or get into offensive directly. My problem that i like the offensive way but in my country or in some areas, the offensive entry level jobs are few and needs some long time studying and practicing more the defensive, qnd i need to get into a job soon as i want experience and money for certificates, if can someone give me such an advice i would be so grateful thank u.

https://redd.it/1pxd1n7
@r_bugbounty

Full Account Takeover via Reusable Opaque Account Identifier (Missing Server-Side Invalidation)

Hey guys, I need clarification on whether the scenario mentioned below is a real, valid bug, rather than a P5, N/A, or non-issue.

The application uses an opaque cookie value (Opaque_target_en) as the sole identifier for determining user account identity.
Although a new identifier is issued on each login, previously issued identifiers are never invalidated.
By reusing an older identifier in the cookie, an attacker can fully impersonate another user’s account, even after the victim logs out and receives a new identifier.
This allows unauthorized access to the victim’s personal data and account functionality.
The issue represents a broken authentication and access control flaw caused by missing server-side token invalidation.

Although possession of the opaque identifier is required to exploit the issue, this identifier is an application-generated authentication artifact whose lifecycle, scope, and revocation are solely enforced server-side. The vulnerability arises from the server continuing to trust previously issued identifiers without validation or invalidation, rather than from the method by which the identifier is obtained.

https://redd.it/1pxkpi4
@r_bugbounty

Permanent OAuth Account Takeover via Email Preference Collision

Hey guys, I need clarification on whether the scenario mentioned below is a real, valid bug, rather than a P5, N/A, or non-issue.



Summary
An attacker can achieve a permanent account takeover against any user who changes their email preference, due to a flawed authentication design where the system uses the email preference field for OAuth Google login lookups. This enables the attacker to bind the victim’s Google account to their own attacker-controlled account after the victim performs a legitimate email update. Once taken over, the victim is persistently routed into the attacker’s account every time they attempt to log in using Google OAuth—even across multiple logout and login cycles.

https://redd.it/1pxmlhz
@r_bugbounty

Is information disclosure with wp-json endpoints considered?

Found out an interesting endpoint /wp-json/wp/v2/users of a service leaking some name slugs avatars link

Found a potential email from slug thinking it's for a username it does leak with Gmail-com wordpress login proves the email exists but password is not exposed

Will it classify as information disclosure the bug bounty accepts some information disclosure vuln
But a case like this will it be accepted?

Im really new to bug bounty so some tips in these scenarios can be appreciated.

Thanks!

https://redd.it/1pxpuxn
@r_bugbounty

built the best no code opensource security automation platform (kinda)

Most bug bounty hunters I know rely on a bunch of different tools. Nuclei for templates, maybe Semgrep for code analysis, plus a lot of manual checking. It works, but everything feels scattered.

I was doing the same thing. Scripts everywhere, some half broken, some forgotten. Instead of adding yet another noscript, I decided to build something that actually helps orchestrate the tools properly.

That turned into ShipSec Studio, which we open sourced. It’s a no-code way to chain security tools together using a drag and drop workflow builder, without writing brittle Python or bash glue.

What people are using it for:

* Run Nuclei templates and automatically follow up with deeper analysis
* Recon workflows that combine multiple tools and unify results
* Mass scanning with Trivy or similar scanners on schedules
* Scanning every build before release and auto-creating tickets
* Reusable, versioned workflows you can share with a team

Repo: [github.com/shipsecai/studio](http://github.com/shipsecai/studio)
Live: [studio.shipsec.ai](http://studio.shipsec.ai)

Feel free to try it out. If it’s useful, a star is appreciated. If you run into issues or have ideas, DM me. I’m iterating fast.

https://redd.it/1pxsvih
@r_bugbounty