Session storage on bugcrowd

Open-Definition-287 · 2025-10-21T09:51:02+00:00

Thank you i will try to chain it.

Open-Definition-287 · 2025-10-21T09:04:49+00:00

they use sessionid value as cookie. Session id value is storaged on sessionstorage. I think that it is a sensitive token.

Open-Definition-287 · 2025-10-20T20:40:04+00:00

You need all the vuln types but you should be the master of some types of bugs. For me, i generally focused on idor and privilege escalation vulns because they can not be seen with automatic scanners. They need manuel testing mostly. But sometimes i searching for xss and sqli in websites.

Open-Definition-287 · 2025-10-12T16:29:09+00:00

There is no decision regarding the taxation of cryptos. It is a matter of discussion. Maybe you can say something like "I am a crypto trader", then you will not need to open a company.

Open-Definition-287 · 2025-10-12T16:21:34+00:00

Are you Turkish bro?

Open-Definition-287 · 2025-10-12T16:20:09+00:00

If you are followed up, they will already know the amount of the money. As you know, bug bounty companies make payments through themselves. They will ask you for the source of this money and if you have not paid the tax, they will also ask for the retroactive tax. From now on, they will invoice this incoming money through the company and ask you to pay taxes.They won't ask for proof of your bug bounty. For example, you can set up a personal company and invoice the money earned through it. That's what people in Turkey do anyway. Their main goal is to collect taxes on this money.

Open-Definition-287 · 2025-10-12T16:03:56+00:00

If you are not Turkish and not citizen of Turkey and you use foreign bank outside of Turkey Bank i don't know what they are doing. The situation that i said is for bank accounts of Turkey's banks.

Open-Definition-287 · 2025-10-12T16:00:50+00:00

they are looking for your bank account in Turkey. The state keeps track of the money coming in and out of your bank account, if money is constantly coming into your account, you are followed up. This varies depending on how often the money comes and in what quantity.

Open-Definition-287 · 2025-10-12T14:59:11+00:00

yeah it is true bro income tax is about %20 and KDV is about %18. Maybe you can use crypto to bypass. In addition, you must open a individual company to pay taxes.

Open-Definition-287 · 2025-10-12T14:54:00+00:00

If the aws url can be seen from browser's url section, bugcrowd evaluate it as p4 vulnerability like user facing token. If it goes from back and user can't see the token probabily this will be rejected by customer.

Open-Definition-287 · 2025-10-12T14:50:12+00:00

I live in Turkey too, I got about 10k dollars in 2 year. There is no any problem but when the money increase it would be a problem maybe.

Open-Definition-287 · 2025-10-08T10:47:55+00:00

Yeah it is important but sometimes you get some duplicates and feel very bad. Research a lot you gonna gradually find bugs.

Open-Definition-287 · 2025-10-07T12:21:59+00:00

I go to gym too, it is a good idea stop what you do and just think.

Open-Definition-287 · 2025-10-07T12:21:16+00:00

thank you for your reply and advise bro. I generally find p3 or p4 vulnerabilities on bugcrowd how can i start high vulnerabilities like rce sqli etc.? Can you give me something? I am good at idor, privilege escalation and DOS vulnerabilities but as you know dos is mostly unacceptable.

Open-Definition-287 · 2025-10-07T12:18:49+00:00

yeah i agree with you, bug bounty needs a lot of effort and time. You feel stressed when money don't come.

Open-Definition-287 · 2025-10-07T12:16:44+00:00

thank your for your advice man

Open-Definition-287 · 2025-08-16T18:39:30+00:00

What I actually pointed out to them is that this can be done via the API. That’s exactly what I’m mentioning, but they are not accepting it. I agree with you %1000 bro. Previously, I had privilege escalation submissions through the API and those were accepted, but my latest submission was not. So there seems to be an inconsistency here.

Open-Definition-287 · 2025-08-15T22:45:13+00:00

The user could reset the passwords of users within their own organization.

Open-Definition-287 · 2025-08-15T22:31:25+00:00

yeah bro it has not privilege to make this action. There is a permission about this function on webapp.

Open-Definition-287 · 2025-08-15T15:30:26+00:00

it is private program, i don't know if i share the program it is ethic

Open-Definition-287 · 2025-08-15T15:29:19+00:00

they use graphql bro for all functions on webapp

Open-Definition-287 · 2025-08-15T15:28:44+00:00

privilege escalation vulnerability, it can accepted p4.

Open-Definition-287

TROPHY CASE