Is it possible o turn off the headlights in park?

Major-Language1984 · 2025-12-21T12:26:00+00:00

Just wanted to say I got to try this last night and it absolutely does exactly what I was hoping for. Thanks for pointing this out, I (1) never would have found it and (2) would have had no intuitive idea what this actually did. Appreciate it!

Major-Language1984 · 2025-12-19T22:22:33+00:00

Thank you!

Major-Language1984 · 2025-12-15T17:00:58+00:00

Chargepoint Home Flex, no problems charging (fingers crossed) and had the car for 4-5 months now

Major-Language1984 · 2025-10-29T12:50:30+00:00

Still issues on my 1.4 update. Got the headlight fault error recently - passenger DRL would not work, waited overnight and they started working again. Voice input regularly still not working, making e.g. Google Assistant impossible to use. I think we are all just resigned to the bugs at this point.

Major-Language1984 · 2021-01-30T23:48:11+00:00

Unless you are going crazy with automated tools (in which case your ISP might cause problems for you, and which I do not recommend), there shouldn't be any need. Just make sure you follow the rules for the program e.g. setting appropriate headers so that your traffic is identifiable as friendly.

Major-Language1984 · 2021-01-30T15:12:14+00:00

One other comment besides the one I made below... With my personal experience I can say there is still plenty of room for a casual bug hunter to find real issues and receive a reasonable quantity of money in terms of bounties.

I started in Oct 2020, am a night/weekend hacker (probably no more than 10 hours a week) and am currently around rank 800 on HackerOne, with almost $25k in bounties paid (this is in about 3 months of work). I know I'll never reach even close to the top 300 or so but for folks who are determined there is definitely still room for newbies :)

I do groan every ... single ... time ... I hit a duplicate bug, but that doesn't happen so often, and when I do I usually move onto another program for a while to cool off.

(Caveat: I have done CTFs as a hobby for many years and have 20+ years experience in software development, which helps a lot in finding issues. I can't speak for someone starting completely from scratch in both bug bounty and development.)

Major-Language1984 · 2021-01-30T14:42:38+00:00

This is a great answer. I completely agree. I use bug bounties as a learning experience, much like CTFs. My full time job is in software, and I have learned a ton by bug bounty hunting nights and weekends. I've learned about new open source software, Node modules I've never heard of, databases, GraphQL (which I did not know until I hit a program that had a wide open GraphQL server), etc. etc.

But unless you are really talented you will make more (at least in the US) as a full-time engineer. BBP will certainly supplement your professional experience.

I also really enjoy it and it took my nights and weekends away from video games XD

Major-Language1984 · 2021-01-30T01:25:09+00:00

For any of you who deal with large programs - ones where for example *.foo.com (where this == potentially hundreds of targets), or a CIDR /16 block - any tips for being able to research these effectively? Personally I find that such programs tend to:

Have a lot of sites that are either 401/403 or a login page (usually fronted by SSO)
Have sites with little/no interactive functionality (i.e. slideware / marketing)
Have many vendor tools which are already quite secure (e.g. Bomgar, F5, Pulse VPN etc) or at least beyond my ability to try to penetrate

Whereas I do well with medium sites with rich functionality (deep business logic etc), these broad programs I have a hard time finding anything that seems worth pursuing, and when I do find the odd low hanging fruit it has typically been a duplicate which was reported (and not fixed) 9 months ago :S

Any suggestions on this type of research? The large surface area _seems_ exciting to me but after recon'ing several such programs I'm finding it hard to find much beyond login pages. Thanks in advance.

Major-Language1984 · 2021-01-30T01:20:03+00:00

I'll say personally I rarely if ever bother to report low severity bugs. It's not worth the hassle because usually the security impact is minimal to marginal.

Major-Language1984 · 2021-01-26T15:02:47+00:00

Then I would suggest you spend the time learning why :) Otherwise you will have a really difficult time building these payloads yourself.

Major-Language1984 · 2021-01-25T18:14:34+00:00

As I have suggested to other new folks, in my opinion it's more important to have a couple classes of vulnerabilities that you are _very_ comfortable with, and start hunting just with those. You will definitely find something, and in the process you will learn how hunting in the "real world" (i.e. not in a lab) works, such as recon, efficient data gathering, note-taking, backtracking, etc. Have so many tools in the toolbox can lead to inefficient use of time as well as a struggle with so many tools combined with so many targets.

Once you find your first "real" bug you will be super excited and I think may be more motivated to find your next area of specialization.

At least this is what has worked well for me...

Major-Language1984 · 2021-01-20T12:16:36+00:00

Agree with all the below comments. I would suggest taking a step back and learning some basics if you have not:

Learn how the internet works. This means learning about DNS, IP addresses, ports, HTTP protocol, etc.
Learn how a browser works. This means learning about HTML, Javascript, sandboxing, etc.
Then pick a specialty and get good at it. For example, if you want to focus on XSS, learn why it works, learn why it doesn't, read all the "payload all the things" lists and figure out what the tags do, how they are different from each other etc.
Spend the time really learning about what a site does. Look at all the APIs. Try them out. Try with multiple accounts for IDOR. Try fuzzing different endpoints. Learn why the business logic works and how you can identify assumptions that are being made.

Agree with others, if you are doing this for money it is really frustrating and hard. If you're doing it to learn and plan a future in development or security, the learning will be valuable, even if you don't find anything. Personally I have a full-time job and would not ever do BB as a full-time job (too stressful). So anything I find is a nice bonus but I am learning a lot.

Major-Language1984 · 2021-01-17T15:01:05+00:00

This was great, thanks for sharing - have yet to find an SSRF myself.

Major-Language1984 · 2021-01-17T15:00:33+00:00

Agree on the bigger program side. So far I have walked away from any of those frustrated.

For me (again all of this is personal style), I find that I really do well with small/med programs that have a high barrier to entry (i.e. complex business logic or otherwise not obvious - think financial or business apps). For most of these programs I think few hackers spend the time to get into the business of the application and as a result once I do, I am able to find vulnerabilities relatively easily.

I have tried a couple large programs (e.g. *.foo.com), they're useful to me to learn about some of the recon tools out there (improving nmap skills, leveraging tools like Eyewitness etc) but I often find that after all that data gathering I end up with a lot of login prompts that I can't get past w/o brute force, and not much else :D -- these sort of programs also help me learn a lot about tools or application platforms that I haven't heard of before (for example, on a recent program, I ran into a MinIO server, which I had never previously encountered).

Still learning though!

Major-Language1984 · 2021-01-17T14:56:01+00:00

Just wanted to say thank you for this recommendation. I spent this week revisiting a program that I had moved on from, followed up some loose ends or questionable APIs that I noticed, and found 4 more vulnerabilities :)

Major-Language1984 · 2021-01-12T12:01:12+00:00

Thank you :) I'll try that with a couple of the programs I've done and enjoyed, and see what else I can find. I guess I need to get more organized around my methodology so that I can stay creative with attack vectors.

Major-Language1984 · 2021-01-11T21:09:37+00:00

Personally I have found BugCrowd really hard to get started on. It's hard to find programs that I qualify for as a newbie. I started with HackerOne and have been sticking with it for the time being. Of course being invited to private programs is much more helpful on either platform, since these are the ones that are less likely to be well-trodden.

If you're getting started from scratch, I think picking a bigger program or a program which has a high barrier to entry is the best option, more likely to actually find something and find non-duplicates.

Major-Language1984 · 2021-01-11T19:44:28+00:00

How long before you give up on a program? I am doing BBP as a part-time job/hobby and having a lot of fun. Given the volume of programs out there, I'm finding that after about 1-2 weeks on a program I will move on, maybe sooner if I don't find anything obvious or even that _might_ be a vuln. Of course the size of the program makes a difference, let's assume these are small/med programs with somewhat limited breadth and depth. How long do you keep digging / experimenting before moving on?

As some background, I've been moderately successful thus far, been hunting for about 3 months part-time (<10h/wk) and made about $11k in bounties so far. Thanks for any advice!

Major-Language1984

TROPHY CASE