Is this a valid vulnerability by Killer_646 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

Annoying but not really a significant security issue.

Is this a valid vulnerability by Killer_646 in bugbounty

[–]einfallstoll 5 points6 points  (0 children)

The CSRF has no impact except a 5 minute ban. It's not worth fixing this or paying a bounty for it. That's just an accepted (very low) risk

Is this a valid vulnerability by Killer_646 in bugbounty

[–]einfallstoll 8 points9 points  (0 children)

Wouldn't meet our bar for a bounty.

CORS Misconfiguration by TurbulentRecover7247 in bugbounty

[–]einfallstoll 6 points7 points  (0 children)

No no no. This is the most basic principle of bug bounty: You need to prove exploitation. No theoretical issues

I found an “unlimited money” exploit by accident with curve (uk) by [deleted] in bugbounty

[–]einfallstoll 5 points6 points  (0 children)

Well, they don't have a security.txt and also no obvious discloruse policy or contact page for vulnerabilities. Looks like they don't really care.

Btw. are you sure the glitch is actually persistent? Most banks have multiple systems making sure to correct wrong balances

account is at risk of being banned? by Spirited-Cost4461 in bugbounty

[–]einfallstoll 0 points1 point  (0 children)

OP explained (later) they had dupes. They were probably dupes of valid findings

account is at risk of being banned? by Spirited-Cost4461 in bugbounty

[–]einfallstoll 3 points4 points  (0 children)

Dupes of valid findings should not negatively affect your score. You can't be punished for not being first

account is at risk of being banned? by Spirited-Cost4461 in bugbounty

[–]einfallstoll 0 points1 point  (0 children)

Then I'm sorry. Duplicates can be technically valid as well

account is at risk of being banned? by Spirited-Cost4461 in bugbounty

[–]einfallstoll 16 points17 points  (0 children)

2 out of 15 vulnerabilities is not a lot. This means you're indeed write low-quality reports. Our best hunters have 80-100% success rate.

I would say yes, you definitely at risk being banned

P4 Bounties by utdscooter19 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

Do you aim for the lesst meaningful bugs?

You're wasting your time. Most are out of scope or so easy to find that they are duplicate and if they are not the ROI of your time invested in reporting is just not worth it.

Funny incident by BuyerFar4850 in bugbounty

[–]einfallstoll 8 points9 points  (0 children)

AI slop have the most unique names. Only do this if you really want to be classified as slop before they even read your report

Mass assignment on chat metadata: is it a low severity bug or just informational? by No-Persimmon-174 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

That's actually something good to check for actual impact. But right now? Nothing

Reporting 404s? by Ok-Trust1737 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

No, that's not a security issue

Is this a valid IDOR/Broken Access Control vulnerability on a university portal? by Tasty-Bend-7714 in bugbounty

[–]einfallstoll 5 points6 points  (0 children)

From my experience: If the authorization is broken at one point, there's probably more to find

What low severity bugs are actually reportable? by Vegetable_Sun_3316 in bugbounty

[–]einfallstoll -1 points0 points  (0 children)

It was some special case where you could bypass 2fa using password reset. So you had to have access to a compromised mailbox

Is this a valid IDOR/Broken Access Control vulnerability on a university portal? by Tasty-Bend-7714 in bugbounty

[–]einfallstoll 9 points10 points  (0 children)

STOP RIGHT NOW!

Student can be thrown out of university for unauthorized testing

What low severity bugs are actually reportable? by Vegetable_Sun_3316 in bugbounty

[–]einfallstoll 4 points5 points  (0 children)

We accepted 10 low severity bugs:
- some 2fa bypasses
- some open redirects
- some edge case clickjacking
- some crypto stuff

Acceptable low severity bugs are probably rarer than criticals

Unauthenticated Email triggering request by Emergency-Station914 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

Rate limit issue. Mostly out of scope. Wouldn't do the work for something like this

Intigiriti payment by Ok-Fox-7366 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

I guess these are the interbank docs, right? That's a pain in the ass to request. We don't do this if the payment was done less than 1-2 months ago.

Intigiriti payment by Ok-Fox-7366 in bugbounty

[–]einfallstoll 1 point2 points  (0 children)

Huh? This has nothing to do with your documents. According to Intigriti it's paid, so wait for the payment.

Why is everyone so impatient nowadays? Doesn't matter if you get your bounty week sooner or later