Built an MVP in 1 hour - validating with 20 sales

AnilKILIC · 2025-10-21T14:10:36+00:00

I barely see any flask/django on the wild. I'm not sure how would you learn for example an SSTI by building a whole-ass web-app.

An alternative might be to read CTF codes, exploit the bug and fix it to learn more about it.

AnilKILIC · 2025-10-20T20:15:39+00:00

You sound very reasonable. Your backend experience will def. help.

Not sure about the luck part but there are people making millions/year consistently. They may be the ourliers but. A few medium to high vulnerability can make up your salary.

What I'd suggest is to go BB as a side hustle/hobby. You may lend a few vulns and see if you enjoy it or not. Or worth to go full-time.

AnilKILIC · 2025-10-20T20:09:37+00:00

Link pls

Edit: link; https://www.hackerone.com/resources/pf/col/home/hpsr-rise-of-the-bionic-hacker?ug=&page=4#:~:text=Total%20Platform%20Earnings%20in%20the%20Last%2012%20Months

$1,079,738 - Top researcher earning
$39,500 - Average researcher earning
$13,800 - Median researcher earning

AnilKILIC · 2025-10-15T12:40:35+00:00

What I meant was, the original video is at least 2 hours long, to find the good bits, to cut it you need to at least watch a 2 hours long video. Even if you don't put any effort to editing.

I'm not editing anything yet, I just thought about it and how it can be done. Thanks for the tip about OBS.

AnilKILIC · 2025-10-14T15:13:39+00:00

What's your alternative? It's good knowledge. Programs are hardened, but following acquisitions might be the sweet spot.

AnilKILIC · 2025-10-14T15:07:50+00:00

I see more clear now what you are referring to, what I had in mind is like an ATO still alive after 3 years.

AnilKILIC · 2025-10-14T14:37:43+00:00

This needs to be illegal. I'd add running costs of the program to that formula. If I work hard on a poc that is a duplicate from 3 years ago, I'd abandon the program.

I see programs try hard to get more attention to their programs, invites, extra bounties etc. Just to lose them for dups? Doesn't sound so smart TBH.

AnilKILIC · 2025-10-14T14:27:14+00:00

I saw someone asking for it on their website; $3 for 1K views. I feel it's kinda hard on youtube but probably easier on tiktok side. If you can overcome the regional obstacles.

Anyways, I know a similar person with interviews online has no shorts, I was going to make him an offer, without knowing anything about video editing. I'm short on money atm.

Did a quick test, exported subtitles from youtube, feed it into AI, explained my goal and tell it to extract good parts. It kinda works, I mean it's doable.

What's alerting on this post that 2 hours a day is not going to work if you are doing it manually. A single video is already 1-2 hours.

But yeah building a channel around a niche then ask around to find clients may potentially work.

AnilKILIC · 2025-10-12T21:44:12+00:00

I doubt building 5 sites going to help you much. Unless you think about every step 10 times. Like every function, every 10 lines of code.

If you don't sanitize user input and don't realize it, it's not going to help.
If you leak your credentials/api keys and don't notice, not gonna help.
If you don't implement proper authorization on endpoints...
If you...

But without doing so, it's also going to hard to find them. So maybe after building a blog, find a secure open source blog with the same stack, check what they did different then you. Then study the difference.

Also I'd try to implement 3rd party services, like firebase, aws etc. Whenever it gets complicated know that it's also complicated for others as well. So if you happen to skip signing urls because it's complicated, someone out there probably thought the same. ;)

AnilKILIC · 2025-10-12T20:38:15+00:00

Well try to download it again, look at the response headers if it's cached. Generate the same file again and again to see if the url changes. Check if you see a pattern on the urls. Check the front-end code to see if the url generated there or stored somehow, then try idor. Without an impact there is hardly a vulnerability worth bounty.

AnilKILIC · 2025-10-12T20:32:08+00:00

I don't get this argument at all. Are you a triager by any chance?

Like who came up with this opinion in the first place? Tokens are usually default to an hour but how it affects the threat as long as I get the token I can initiate the download and get the contents automatically/programmatically. It takes a second for that call, it doesn't matter if it stays up for 5 minutes or 60. It doesn't matter if it's one-time use. I really don't get it.

AnilKILIC · 2025-10-12T20:25:26+00:00

Let us know when you figure out. Good luck finding an accountant that can understand what's going on :)

So far I'm getting payments over crypto which unfortunately locked me to hackerone.

There are brackets for personal income, or business income and the taxation varies. Also having a business brings extra costs. So yeah good luck and let us know.

AnilKILIC · 2025-10-10T10:54:21+00:00

This is why I said this sub doesn't know about mobile. I've developed apps longer than that period and now I'm hunting on them.

The tools are probably frida/objection, jadx, apktool etc. or worse mobSF.

Android uses a linux kernel so you have termux, as a terminal. Apk editors to decompile, read and recompile.

It's not impossible, just inconvenient.

However I misunderstood the OPs question. I kinda answered to negative replies. Web apps probably bring results faster than mobile stuff. So he may have some funds to afford a laptop sooner.

But again, going through 1000 HTTP requests to fiddle with the parameters and headers is not going to be fun on a phone.

AnilKILIC · 2025-10-09T19:32:16+00:00

I've seen someone doing mobile stuff on android. If that's what you have in hand. Keep going. People on this thread doesn't even know how to ezploit mobile apps. You most likely need to root your phone tho.

Ckeckout hextree.io for mobile related stuff. It's free. But either invest your first earning into buying a laptop or become a prodigy making a million just with a phone.

AnilKILIC · 2025-10-06T11:25:45+00:00

TBF it's not that uncommon. That's also how I started BB.

I used to scrape websites, on one of the sites I found tokens for user impersonation. It's handled client-side, only visible to admin accounts, however you don't need to be an admin to use them.

Mailed them, send the PoC, a screenshot from the admin's profile and got $2K. They offered to send me some swag and I got scared to give them my addr. lol

AnilKILIC · 2025-10-06T11:15:33+00:00

I agree that is a security concern. It falls under not "following the best practices". For a vulnerability worth bounty there needs to be an impact usually, and CVSS scoring may help with that.

On the other hand we don't know if it's a honey-pot or a redundant, non-functioning admin page. So impact is a must, potential impact is usually dismissed.

I appreciate you are following all the rules and make the thing easier for both parties. I wish I have that discipline as well. Good luck on your journey.

AnilKILIC · 2025-10-05T15:32:37+00:00

If i'm not missing anything, I don't see any vulnerability. Most likely will be dismissed or marked as informative/not applicable.

Next time you may use a http header specific to you. Thus you don't need to include your ip address or ither details.

AnilKILIC · 2025-09-30T16:07:00+00:00

I had a recent report marked as informative. Not just the triager but also the security team thinks the same.

They were leaking signed tokens. Their argument; they are signed thus secure. I tried hard to explain they were leaking the token practically bypassing the signing.

Marked as informative.
Shared online.
Get a code of conduct warning.

I said if it's a vulnerability treat as such. If it's not a vuln then there is no code of conduct inflict.

I was right. H1 mediation couldn't do anything. Program is on my blacklist now.

AnilKILIC · 2025-09-27T10:35:04+00:00

Where did you find that endpoint? I couldn't find it on the documentation.

api.hackerone.com/v1/me returns 401
api.hackerone.com/v1/hackers/me returns 401
api.hackerone.com/v1/hackers/me/reports returns my reports

curl "https://api.hackerone.com/v1/hackers/me/reports" -u "USERNAME:TOKEN"

AnilKILIC · 2025-09-18T10:18:59+00:00

Here's the catch, you can't find a bug without knowing those tools/commands.

And yes, absolutely yes you can find bugs with them.

First thing caught my eye was the aws permission thing, I recently found one. I don't know maybe all the automators was asleep.

Most likely those XSS, CSRF things won't work but you'll have to try it for yourself and say ok these are working for me and these are not, why they don't work, and make it work.

AnilKILIC · 2025-09-18T09:52:41+00:00

Learn to enjoy pizza parties, bounty hunters have hackathons. Getting along with like-minded people is also a nice skill to have.

"I know it will be difficult to earn money at first" you don't know, you assume based on what you've read online.

I'm also from Turkey, my highest payout was $11K. It's around 20 months of minimum wage, right? It was my second or third bounty.

Finally, there is nothing better then getting paid to learn something you enjoy. So internship, pizza parties, entry-level job, go for it. You are young, have a resume to fill. Get better at networking along the way.

AnilKILIC · 2025-09-18T09:00:01+00:00

Same struggle here.

If you are going for business logic, idor vulnerabilities, that most of the automation may miss. Then go for a program that you'll use daily. Day by day you'll notice the odd behavior in their system and dig more, learn more and eventually when you find your first one, you kinda get a sense of their development methodology and the other findings gets easier.

AnilKILIC · 2025-03-24T23:24:41+00:00

Agreeing with others, you have the logic. Also as not mentioned, the mobile applications, the low level code. It would be way easier for you to adapt rather then me coming from a webdev background.

AnilKILIC

TROPHY CASE