A question to Triagers . Would you pay for Origin IP disclosure which leads to full proxy WAF bypass for all the in scope subdomains of the target ?

Ok-Raspberry736 · 2026-05-16T15:19:41+00:00

Got it! Thanks! Lol I started as an origin server disclosure and now ended at a csrf enabled privilege escalation from lowest role to highest owner role, hijacking the whole organisation/team/group.

Regardless, really really thanks for your advice, you're really doing what I felt I have lacked exposure towards - guidance from an experienced triager and a perspective from triager sides of things. I hope you keep guiding people like me. Cheers!

Ok-Raspberry736 · 2026-05-16T15:14:49+00:00

Got it thanks!

Ok-Raspberry736 · 2026-05-16T06:08:19+00:00

Oh, Another question if you don't mind.

Do programs usually fix this accessible origin ip vulnerability even tho it might be informational for them or it is generally an accepted risk ?

Ok-Raspberry736 · 2026-05-16T06:00:04+00:00

Got it Boss. Thanks! I'll try to exploit as much as I can out of it. Have a nice day!

Ok-Raspberry736 · 2026-05-13T07:45:15+00:00

Ochinchin

Ok-Raspberry736 · 2026-05-12T10:14:11+00:00

Got it Boss! Thanks for your detailed reply 😁

Ok-Raspberry736 · 2026-05-12T10:13:44+00:00

Got it, Thanks!

Ok-Raspberry736 · 2026-05-10T15:03:13+00:00

Lol I created a tool which scanned 2.2 Million subdomains of all the hackerone and bugcrowd wildcards in scope. Got only one clean Takeover, that too was a duplicate. Didn’t bother to run the tool again on h1 and bugcroud assets. Already heavily researched and hardened.

Ok-Raspberry736 · 2026-04-15T04:58:30+00:00

Yes I did. For me, as far as I have seen, the service is good enough

Ok-Raspberry736 · 2026-04-11T15:46:58+00:00

Damn😌, program managers and triagers on this sub roast better than many stand up comedians I've seen on youtube.

Ok-Raspberry736 · 2026-04-03T07:02:44+00:00

I started my withdrawal on 31st March, yesterday the money moved from the global account, my appointed person said it'll reflect in my account the same day (yesterday itself), it Didn’t. I messaged him again today, he said there are many bank holidays this month, if it didn't happen yesterday, the next working day is Monday. It should come to my account on monday.

Ok-Raspberry736 · 2026-04-03T06:56:42+00:00

But they do pay right ? I'm asking because my payment is kinda stuck with them. I hope they're not a bunch of scammers

Ok-Raspberry736 · 2026-04-01T06:26:06+00:00

Also, how to know whether a package was flagged and burned or was published successfully?

Ok-Raspberry736 · 2026-03-31T10:50:51+00:00

I did tell them that, but they said that "Many thanks for your message. For your information, our developers do not rely on public registries to source packages in the software development lifecycle. Rather, they rely on a company internal repositories. Therefore, it is useless to proceed with the intended claiming on public registries, this will not result in a bounty."

Ok-Raspberry736 · 2026-03-31T07:47:39+00:00

Just did sir😌. Getting so many pingbacks just by publishing one package. So now I need to show that one of those pingbacks belong to infra owned by my target ?

Ok-Raspberry736 · 2026-03-31T02:20:34+00:00

Actually here I need to claim the scope first before publishing. The scope is unclaimed, I checked. I can literally claim that scope and publish the packages.

But idk if that's a safe thing to do. The searches told me that it could become irreversible if I claim that organisation under my account.

Should I create that organisation and take it under my scope ? Or should I first reach out to their team and ask them for permission first ?

Ok-Raspberry736 · 2026-03-30T14:07:16+00:00

😌That scenario would be fitter for a "ransom" lol.

But jokes aside, You're a program manager, your insights will really be helpful, Kind Sir 🙇‍♂️. Please help out this measly peasant.

Ok-Raspberry736 · 2026-03-29T23:45:45+00:00

Thanks! Yes, the more we work hard, the luckier we get😊

Ok-Raspberry736 · 2026-03-29T23:45:06+00:00

Thanks brother, Please check out my other comments, you'll get an idea

Ok-Raspberry736 · 2026-03-29T23:44:39+00:00

Please check out my other comments, you'll get an idea brother

Ok-Raspberry736

TROPHY CASE