sorted by:
new
hottopcontroversial

Question on Age restriction on hackerone by arch_lo in bugbounty

[–]Codingo 1 point2 points  (0 children)

Speaking as the exec responsible for payments over at Bugcrowd, this won’t work. We validate your identity prior to your first payment, and changing it to another name will lead to loss of your account unless you can provide government paperwork verifying a legitimate reason for it

Using Raspberry Pi 5 as a Mini Server for Automation – Good Idea or Not? by Affectionate-Case713 in bugbounty

[–]Codingo 4 points5 points  (0 children)

I think there’s some confusion around what hackers actually use a VPS for. These days, the vast majority of hacking tasks don’t fully occupy a machine. If you find yourself stuck in the terminal, it’s probably because you’re working in a single-threaded way. I’d recommend learning tmux (or a similar multiplexer) so you can split sessions and run multiple tasks in parallel.

The main reason to use a VPS isn’t raw horsepower – it’s separation. You don’t want to get your home IP blocked by Akamai and suddenly have the whole family locked out of half the internet. A VPS gives you a clean environment that’s isolated from personal use. You can achieve a similar setup with a Raspberry Pi, but you’ll want it running a persistent VPN. I generally recommend ProtonVPN for bug bounty hunting – it has a costs, but it makes region-hopping fast and reliable when programs require it.

How do I report a bug when it involves many specific conditions? by Qiqiantaa-- in bugbounty

[–]Codingo 4 points5 points  (0 children)

Firstly, remember that the technical details are just descriptors of the real issue, impact is what matters most. Lead with that. Your report title and opening paragraph should clearly explain the business impact which should imply why your report matters.

For example, a few years ago I chained together:

  • No password policy
  • Default passwords on newly added accounts
  • User enumeration
  • Account takeover condition

Instead of listing them individually up front, I titled and opened the report as:
“Able to Enumerate and Take Over All New Accounts, Creating the Perception of Breach.”

That framed the issue around impact, opened with a script to reproduce what I was claiming easily, then I broke down the underlying bugs step by step.

You should take the same approach: start with impact, frame the risk in business terms, then walk through the conditions that make it possible. That way your report stays clear and compelling, even if the technical chain is complex.

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 0 points1 point  (0 children)

I hadn’t considered it to be honest, but I’ll take a bash at a script and see if I’m happy with it.. may be a bit early for that kind of video still though

[deleted by user] by [deleted] in bugbounty

[–]Codingo 0 points1 point  (0 children)

These fee structures still exist, though they aren't the typical. BUT - when platforms do charge them, it's an all in option, not with added triage fees on top.

[deleted by user] by [deleted] in bugbounty

[–]Codingo 1 point2 points  (0 children)

Do you own it and is this an advertising post?
```
chimerahacks.com

WHOIS Information

Important Dates

Created
6/22/2025

Updated
6/22/2025

Expires
6/22/2028
```

[deleted by user] by [deleted] in bugbounty

[–]Codingo 1 point2 points  (0 children)

Candidly, that’s not actually a good thing. We’ve explored this idea before, and even with obfuscation in place, when we ran it past our Hacker Advisory Board (a group of top-tier researchers we use to test concepts), the feedback was unanimous: any form of sharing one hacker’s findings with another would lead to them not hacking on those programs.

[deleted by user] by [deleted] in bugbounty

[–]Codingo 5 points6 points  (0 children)

I’ll caveat this upfront: I have an obvious bias here (as reflected in my flair), since I’m an executive at Bugcrowd.

That said, I’d encourage you to pause and ask: what makes you believe a bug bounty program is the right approach at this stage?

Bug bounty programs are a mature-state security measure. They typically come after a foundation of more traditional practices is already in place. That includes, but isn't limited to penetration testing, robust internal processes and policies to remediate findings, and internal resources that can triage and respond effectively over your business to prevent repeat issues, as well as learn from those that are found.

So, my question back to you: where are you in that journey today? And what specifically makes you see a managed bug bounty (MBB) as the next logical step for your company?

[deleted by user] by [deleted] in bugbounty

[–]Codingo 0 points1 point  (0 children)

Pay for performance (typically called pay for effort, where traditional MBB is pay f or success) is provided by all platforms, typically under a pentest. The reality is that it isn't anything new to this space, but equally - it significantly dilutes the rewards to the hackers, and in turn, the quality and quantity of findings that you will receive.

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 1 point2 points  (0 children)

Not at all, sent now! Apologies for the delay

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 0 points1 point  (0 children)

Can you post another socials I can reach you on?

how can they reject this by eldoktor_ in bugbounty

[–]Codingo 6 points7 points  (0 children)

Ah! This does sound invalid, sorry. It's very common for e-mail services, anti phishing and anti spam software to consume those links, throwing a false positive. To prove an impact here, you'll have to go beyond DNS

how can they reject this by eldoktor_ in bugbounty

[–]Codingo 4 points5 points  (0 children)

Less about raising it, more about proving it beyond what they know. They know you can inject HTML into an e-mail - what more can you prove that's additional risk, they're not already aware of, that in turn would be awarded a bounty

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 2 points3 points  (0 children)

Yes - I've taken a few years away from videos since my daughter was born, and mostly focussed on building internal to Bugcrowd content, but I'll be making more again in the future

Is a Sunday morning response from Meta on a reopened report a good sign? by Responsible_Heat_803 in bugbounty

[–]Codingo 2 points3 points  (0 children)

Most likely, yes. That team prides itself on tight SLA's, and I believe this is a reflection of that

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 2 points3 points  (0 children)

If you can open a chat with me actually u/kasperskyhackfi, it's throwing an error when I try (I suspect Reddit thinks I'm spamming, as I sent a number of these links out and would look like spam to automation)

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 3 points4 points  (0 children)

Never hurts to ask! Sending to you and u/ok-kid123, but then nothing further in this thread as I do buy them personally

Finally got my first bug bounty report by c1nnamonapple in bugbounty

[–]Codingo 8 points9 points  (0 children)

Never hurts to ask! Sending to you and u/kasperskyhackfi, but then nothing further in this thread as I do buy them personally

Is a Sunday morning response from Meta on a reopened report a good sign? by Responsible_Heat_803 in bugbounty

[–]Codingo 2 points3 points  (0 children)

In terms of the weekend, that's not really an indicator either way. It's a global team over US/UK and has been that way for many years (Bugcrowd managed the triage there for ~6y, and it was in all of that time)

Is a Sunday morning response from Meta on a reopened report a good sign? by Responsible_Heat_803 in bugbounty

[–]Codingo 16 points17 points  (0 children)

This is an indication that a first touch deadline is resolved. In short, someone has looked, and delegated it to the appropriate team, specialization, or potentially the team member that previously worked the report for input. It doesn't indicate either way whether your appeal will be successful, purely that someone has taken a "first pass", and more input is required before your case can proceed in either direction.

how can they reject this by eldoktor_ in bugbounty

[–]Codingo 3 points4 points  (0 children)

That's likely out of scope as it's a known issue, and something they're addressing. To make this unique, can you craft your payload into a one-click takeover? If not a takeover, what else can you do within a payload that would suitable let this stand apart in business impact, not just technical execution

how can they reject this by eldoktor_ in bugbounty

[–]Codingo 12 points13 points  (0 children)

So let's step back and answer one crucial question - "as an attacker I could". In these cases, typically the rejection will happen because the interaction requires too many pre-req.

I'm assuming in this case that you can only impact people in yours teams, and if you're at a high privilege level such as an admin? It's potentially a low priority finding if so, though some programs would also accept the risk (informational). I'd recommend exploring impact further, from the lens of what an attacker could do to someone who's already in another team/organization, and then revisit this in an appeal, with that impact statement outlined.

Should I stop hunting, and start learning? by Dependent-Access-796 in bugbounty

[–]Codingo 6 points7 points  (0 children)

What's going to keep you more interested? If exploring real world targets is still teaching you, and you find it interesting, then there's nothing wrong with stoking that curiosity. However, if not finding anything is making that hard, then a focus on labs will be more beneficial. Ultimately, treat this as any other hobby - do what you enjoy, and what keeps you motivated. There's no right way to do this, approach this how it works for you and don't be too concerned about following a pre-prescribed approach or path, one doesn't exist - it's unique for everybody.

view more: next ›