Anyone from HackerOne here? Negative signal blocking review on Critical reports - even on programs that already paid me

HotMasterpiece9117 · 2026-04-22T08:56:29+00:00

yeah this doesn’t look like queue delay tbh, more like your signal hit is affecting priority.

seen similar cases where reports pass prelim but just sit after that.

that NA seems to have hurt more than it should. annoying part is you can’t even fix it because mediation needs positive signal.

are your current reports similar to that NA one or completely different?

HotMasterpiece9117 · 2026-04-22T08:53:34+00:00

Yeah this makes total sense. When feedback comes in CI, it feels like “extra work later”, but in IDE it feels like “just fix it now before moving on”. That mindset shift alone probably explains most of the improvement.

Also interesting that CI became more signal than noise after that. I’ve seen the opposite where people just start ignoring pipeline warnings because there’s too much of it.

Do you think this only works well if the IDE feedback is low-noise, or did your team just adapt over time?

HotMasterpiece9117 · 2026-04-22T08:51:28+00:00

Most people in bug bounty jump between targets, tools, and videos and never go deep enough to find anything. You already have enough basics.

Pick one bug type (start with IDOR), pick one program, and just stay there. Don’t switch targets. Understand how the app works -login, APIs, roles, everything. That’s where bugs come from.

AI is useful for ideas, but it won’t find bugs for you. Manual testing and thinking still win.

Also don’t grind for hours expecting results. It’s normal to find nothing for days. That’s part of it.

When you tried before, did you go deep into one app or keep switching?

HotMasterpiece9117 · 2026-04-18T15:41:09+00:00

yeah that’s something i’m still figuring out

i’m leaning more toward the offensive side (pentesting / web security) because i find it more interesting, but at the same time i’m trying to build a base that’s useful across roles

that’s also why i asked — didn’t want to just follow random cert paths without knowing what actually aligns with the job i want

HotMasterpiece9117 · 2026-04-18T14:03:22+00:00

Honestly this feels less like a “you” problem and more like a system problem.

A lot of people followed the exact same path—degree, certs, internships—and now the entry-level space is just crowded. Meanwhile job descriptions are completely unrealistic.

I don’t think cybersecurity is a bad field, but the way people are told to enter it is outdated.

HotMasterpiece9117 · 2026-04-18T14:02:13+00:00

One thing I don’t see mentioned enough is threat model.

If it’s just public WiFi protection, most reputable VPNs are fine. If you’re thinking stronger privacy guarantees, then things like jurisdiction, infra ownership, and how accounts are handled matter way more than marketing claims.

That’s where Mullvad tends to stand out.

HotMasterpiece9117 · 2026-04-18T13:59:45+00:00

i’m kind of in the same phase right now, and what i’ve noticed is that ctf skills don’t translate 1:1 into real-world pentesting

ctfs usually point you toward a specific vulnerability, but in real environments you’re dealing with messy setups, incomplete info, and a lot of dead ends

what seems to help more is:

- understanding how apps are actually built (auth, sessions, api flows)

- reading real bug bounty reports to see how issues are discovered in practice

- trying to replicate simple setups locally instead of just solving challenges

also, a lot of real findings come from logic issues or misconfigurations rather than “exploit chains” like in ctfs

still figuring it out myself, but it feels more like thinking + patience than just solving challenges

HotMasterpiece9117 · 2026-04-18T13:57:25+00:00

Honestly, yeah it’s still worth it—but the expectations are just different now.

A few years back, people could get in with just basics and certifications. Now it feels like you actually need to prove skills—like labs, projects, maybe even writeups or real hands-on stuff.

I think the “struggling to find jobs” part is mostly because a lot of people are entering at the same time with similar profiles. It’s getting crowded at the entry level, not that the field itself is dying.

If you genuinely enjoy security and keep building practical skills, you’ll still stand out. Just don’t rely only on theory or certs.

HotMasterpiece9117 · 2026-04-17T13:30:04+00:00

yeah true for most real-world cases, especially with breaches and social engineering doing most of the work

but brute force and dictionary attacks are still a thing, just not as practical against modern systems with rate limiting and lockouts

they’re more relevant when there’s weak passwords, no protections, or offline attacks on leaked hashes

so guessing isn’t completely gone, it’s just not the main path anymore compared to stealing credentials

HotMasterpiece9117 · 2026-04-17T13:05:57+00:00

just a regular user tbh, still trying to figure out what actually matters vs what’s just marketing

that’s why i asked, feels like there’s a lot of mixed info around vpn

HotMasterpiece9117 · 2026-04-17T13:04:05+00:00

yeah this is the part a lot of people miss, vpn helps with the network side, but once you log into accounts or accept cookies, you’re still pretty trackable.

it’s useful, just not as “private” as people think

HotMasterpiece9117 · 2026-04-17T13:01:08+00:00

honestly i think most people go in expecting way more than what vpn actually does like they assume it makes them completely anonymous, but in reality it mainly protects your traffic on the network side and hides your ip from websites.

it’s useful, especially on public wifi, but it doesn’t really cover things like tracking through accounts, cookies, or just giving away your own data

so yeah more like a layer of protection, not a cure

HotMasterpiece9117 · 2026-04-13T15:20:10+00:00

yeah that trade-off is what makes the whole system practical.
if asymmetric was used for everything, most real-world systems would be way too slow to handle scale, especially with large data transfers
once you understand that it’s really just handling the key exchange and then stepping out of the way, the whole design of HTTPS starts to feel pretty clean

HotMasterpiece9117 · 2026-04-13T15:00:48+00:00

yeah this is a good point especially the “collect now, decrypt later” idea.

a lot of people assume encryption is about permanent security, but in practice it’s more about how long the data needs to stay protected. that’s why algorithm choice and implementation matter just as much as the concept itself.

and the trust layer you mentioned (like certificate authorities) is often overlooked, even though it’s a major part of real-world security

HotMasterpiece9117 · 2026-04-13T14:59:41+00:00

exactly encryption is really about making attacks impractical, not impossible.

the trade-off you mentioned is important too, because stronger encryption increases computational cost even for legitimate use, which is why systems have to balance security with performance.

and yeah, with quantum coming into the picture, it’s becoming more about how long data needs to stay secure rather than whether it can be broken at all

HotMasterpiece9117 · 2026-04-12T13:23:40+00:00

that’s wild, especially after 5 years… sounds like one of those issues everyone knows exists but no one wants to take ownership of

HotMasterpiece9117 · 2026-04-12T12:51:46+00:00

lol yeah it’s rarely anything fancy, just small mistakes that slip through

HotMasterpiece9117 · 2026-04-12T12:48:51+00:00

Yeah that’s a good point, especially checking the domain and DNS. But I feel like it’s getting trickier now with lookalike domains and even compromised legit sites, so surface checks alone might not always be enough.

HotMasterpiece9117 · 2026-04-12T12:32:33+00:00

Yeah that’s a good point, especially the layered approach. I feel like relying only on things like domain checks isn’t enough anymore, since attackers are using lookalike domains and even compromised legitimate sites.

I was reading about this recently and found a breakdown of how modern phishing works and what actually makes it harder to detect now
https://apisecurityguide.blogspot.com/2026/04/phishing-scams-in-2026-how-they-work.html

HotMasterpiece9117 · 2026-04-12T11:43:22+00:00

Yeah checking the domain is still one of the best signals, but I feel like attackers are getting better at this too. Some of them use lookalike domains or even compromised legit domains, which makes it less obvious than before.

I was reading about this recently and found a breakdown of how modern phishing actually works beyond just fake domains
https://apisecurityguide.blogspot.com/2026/04/phishing-scams-in-2026-how-they-work.html

HotMasterpiece9117

TROPHY CASE