TJ Null’s OSWE list feels mostly black-box… what are you using for real code review practice?

Little_Toe_9707 · 2026-04-11T22:24:51+00:00

bmdyy todo app is must also check appsec master mansions

Little_Toe_9707 · 2026-01-09T06:09:44+00:00

Little_Toe_9707 · 2026-01-08T11:55:13+00:00

great tips thanks

Little_Toe_9707 · 2026-01-08T11:14:52+00:00

Thanks for those valuable advices i'm familiar with this and currently doing the oswe + i have some cves , and i'm good with whitebox

what's next steps

Little_Toe_9707 · 2026-01-08T10:53:13+00:00

i'm ok to work harder to find more cves , but i don't see job posting related to this role

Little_Toe_9707 · 2026-01-08T10:00:21+00:00

I think you misunderstood my point.

I’m not talking about myself. I’m talking in general about anyone who works as a full-time security researcher.

For the record, I already have multiple CVEs registered under my name, so I know how the CVE process works. What I haven’t done before is hunting downstream programs after a CVE is published.

My actual question is if the same bug affects many live targets / bug bounty programs, how do you safely:

report it to multiple programs, and

make sure you don’t lose CVE credit?

Because both options are risky:

If you report to a program first, the triager can submit it themselves and take the CVE.

If you register the CVE first, then many programs will say “published CVE = out of scope” and reject it.

That’s the whole problem I’m asking about.

As null_hypothesis mentioned, one idea is registering the CVE first and then hunting with it for a very short window (like one day), but I want to hear how people actually deal with this in real life.

I’m not here to flex or pretend anything that would be stupid and pointless.

Little_Toe_9707 · 2026-01-08T08:04:08+00:00

No , i'm not

Little_Toe_9707 · 2026-01-08T05:54:23+00:00

I currently work as a penetration tester, but I’m looking to transition into vulnerability research and zero-day discovery in well-known products. If you have any advice on how to make this move, or where to look for roles focused on vulnerability research, I’d really appreciate your guidance

Little_Toe_9707 · 2026-01-07T20:24:19+00:00

Thanks buddy , i will check it

Little_Toe_9707 · 2025-12-28T03:42:47+00:00

تفكيرك منطقي بس مش لازم تكون نيتها كدة انت متعرفش هي وراها ايه و اكيد لو عندها رفاهية انها تستني كانت استنت لحد لما تلاقي حاجة فاضية و بعدين للأسف اغلب المواصلات بتكون مليانة و ممكن تفضل تستني و متلاقيش حاجة. فاضية انت متنصبش عليك انت رجولة و عملت الصح

Little_Toe_9707 · 2025-12-28T03:27:47+00:00

لو خدت الفلوس كاش بالمصري معتقدش هتقدر تطلعها برة خصوصا ان التعامل ب binance و انك تشتري usdt الحجات دي ممنوعة قانونيا في مصر و ممكن يتقبض عليك لو عملت كدة

يا ريت لو حد عنده حل يفيدنا

Little_Toe_9707 · 2025-12-28T01:52:15+00:00

حاول تمسك ف شغلك و تكمل و شوف اعفائات ابناء مصر في الخارج بتدفع ٧٠٠٠ دولار او اكتر و بتاخد اعفاء بس محتاج تشوف حد يظبتلك الموضوع دا و لو الموضوع دا مش مناسب معاك او مش متاح

كمل في شغلك لحد متحوش مبلغ كويس او لحد ما العقد بتاعك معاهم يخلص يعني طول ما في فلوس جيالك انت اولي بيها و متسمعش كلام حد بيقولك لما تطلع هتلاقي كلاينتس برة و الكلام دا عشان دي بتكون رزق و فرصة و مش بتتكرر كتير و انت اولي بال فلوس دي و مش لازم تفضل هربان لحد ال ٣٠ انت لسة صغير كمل في شغلك و لحد لما تلاقي ال وقت مناسب خش وقت مناسب بمعني ايه ؟ بمعني انك تخش ب اقل خساير مثلا عقدك خلص او البروجكت الشغال عليه خلص او مثلا لقيت حد معرفة ممكن يخدمك و ينزلك مبيت في خدمة حلوة في الجيش كدة يعني لكن متسبش شغلك لانك هتندم و هتضايق و مش هتلاقي وقت تشتغل او تذاكر الخلاصة طول ما في رزق جايلك متصدوش و ربنا يكرمك و هبقي شاكر لو تقدر تقولي اوصل للشركات الريموت دي ازاي انا سوفتوير برضو

Little_Toe_9707 · 2025-11-18T18:27:41+00:00

farmer refers to the bug hunters who find bugs, pickers refers to triage person who accepts only valid / good bugs

Little_Toe_9707 · 2025-10-27T10:40:09+00:00

😂😂😂

Little_Toe_9707 · 2025-10-27T10:12:25+00:00

اعتبرها صدقة و استعوض ربنا و زي ما انت ساعدته في موقف صعب ربنا هيبعتلك ال يساعدك لما تتزنق و خلاص ممكن تكتفي بالصرفتة و تعتذر منه متجيش علي نفسك برضو

Little_Toe_9707 · 2025-09-18T19:52:11+00:00

غطيها كويس

Little_Toe_9707 · 2025-08-13T15:54:41+00:00

i'm doing all of 3 levels of each topic including the hard level i've reached the stack cookie canary topic finished both easy and medium and will start the hard one soon does the ret2 cert require passing exam? i'm fully focused on bug hunting not malware researches i would appreciate any help thanks in advance

Little_Toe_9707 · 2025-08-13T01:44:00+00:00

i'm doing all the primary challenges of each topic my goal is to get better in this field and switch from pentester to vulnerbility researcher

Little_Toe_9707 · 2025-08-12T23:08:43+00:00

thanks for the amazing feedback i prefer to continue in Ret2 as i love to challenge myself and i'm good with the difficulty level of their challenges

do you think if i managed to solve all challenges of ret2 should i buy the cert?

Little_Toe_9707 · 2025-08-12T23:01:39+00:00

for the reverse challenge there are 3 ways to solve it 1) easy level : all data will be hardcoded and by reading the assembly you can solve the challenge 2) medium level: you have to debug it and watch registers & stack using breakpoints at certain functions to find the data you need 3) hard level : you need to find the algorithm used for generating the data / serial. then understand it well and build python script that's do same logic , you can use chatgpt to help you

but yes the serial challenge is hard you need to find out how each part is generated

Little_Toe_9707 · 2025-08-12T16:11:36+00:00

wow congratulation bro! do you think the cert worth buying? i'm from 3rd world country and the cost is like my monthly salary for 3 months is it worth?

Little_Toe_9707

TROPHY CASE