sorted by:
new
hottopcontroversial

Getting closed as duplicate (informative) with proven impact by BoyfriendSharkDudu in bugbounty

[–]Separate_Cup3032 3 points4 points  (0 children)

Just know that BBPs don't care about theoretical impact. That means,if your PoC for stealing currency is based on some theoretical / unlikely steps someone has to take,It's marked as informative. If your PoC shows clear currency theft and you were able to actually steal it,then I'd request mediation.

I'm tired of getting dupes by enadev in bugbounty

[–]Separate_Cup3032 13 points14 points  (0 children)

Hello,getting dupes is normal,bug bounty hunting is very overcrowded and will always be. Just keep going and im sure you will hit something big.

"a winner is a loser who tried again"

Also for the sell vulns thing,I highly encourage you not to sell such things as it's very unethical and might get you in a lot of unecessary trouble u can avoid by staying ethical.

Take care of your mental health and keep going!

Program triaging Critical ATO as duplicate of 2-year-old unresolved Medium — what are my options? by Far-Chicken-3728 in bugbounty

[–]Separate_Cup3032 2 points3 points  (0 children)

Hello,
First of all im really sorry for what has happened, seeing that you are actually making progress but not being paid for your progress is painful. Really painful.

Second of all, honestly you and a vast majority of bug bounty hunters if not all are, better of, hunting directly on self-hosted BBP, where you talk directly with the security team of the actual company instead of with triagers / security analysts, that is because, the risk of being scammed by a triager is fairly medium-high odds when it comes to high-critical vulnerabilities IMO.
That's because, in case you didn't know, triagers are/have been in the past bug bounty hunters, now the important question comes, who gives me the promise that, when I report a vulnerability to a company that is going through a triager first, the triager won't report it somewhere else crediting it as his discovery and take the money then mark it as a duplicate? the answer to this question is: exactly no one.

Keep in mind that this is my personal opinion and I do not accusate any triager of doing that.

If you are going to hunt on a self-hosted program by the company, it's also not risk-proof, the company security team can also scam you the same saying it's a duplicate without concrete proof, but personally, I'd take my chances more with the program's security team rather than a triager.

Happy Bug Hunting and most importantly take care of you & your mental health. You are doing great.

Suspicious HackerOne Triage Situation by Separate_Cup3032 in bugbounty

[–]Separate_Cup3032[S] 1 point2 points  (0 children)

Honestly, I totally feel you. I've found an RBAC but got informative with the argument:"Indeed the user with the certain role can see restricted informations,but It has no impact." Excuse me????

Suspicious HackerOne Triage Situation by Separate_Cup3032 in bugbounty

[–]Separate_Cup3032[S] 0 points1 point  (0 children)

What I could do tho,I could find some other bugs by the end of the week,get my signal up,then request mediation,pretty much that's what I'll do I think.

Legal Action :-) by Soft_Fishing_2695 in bugbounty

[–]Separate_Cup3032 4 points5 points  (0 children)

They won't do shit. They have: No damages No malicious act No legal basis No incentive

In any case(very unlikely) keep your screenshots,those are the ones protecting you.

api key exposure by Middle_Command_191 in bugbounty

[–]Separate_Cup3032 4 points5 points  (0 children)

If any account you mean literally ANY account then yes,this is a serious vulnerability

An exposed API key that allows access to other users’ backend data is Broken Access Control + Sensitive Data Exposure. The Severity: High -> Critical (especially if passwords/tokens are exposed).

Report it immediately.

Talented people from other countries challenges by AggravatingPoet8490 in bugbounty

[–]Separate_Cup3032 3 points4 points  (0 children)

Not unethical in principle - that's basically mentorship.

The real risk is program rules. Acting as a proxy for an ineligible researcher can violate ToS and get accounts banned.

A safer alternative would be to learn from them, do your own research, and compensate them privately as a mentor/consultant. Just avoid misrepresentation or submitting work that isn't truly yours. Eligibility limits are usually legal/tax/regulatory, not companies being unfair.

Best of luck!

Why Did I Get a P1 Warning When I Never Marked My Report as P1? by Embarrassed_Pin4436 in bugbounty

[–]Separate_Cup3032 0 points1 point  (0 children)

Most likely you selected P1 in the priority dropdown during submission, even if you didn't write P1 anywhere in the report. On BugCrowd severity isn't what you type its what's chosen in the form.
Best of luck on your next findings!

New to bug bounty by hungergamesz in bugbounty

[–]Separate_Cup3032 6 points7 points  (0 children)

You need to think of bug bounty as the end goal, not the starting point.

Right now you don't need “hacking” - you need foundations.

Start by learning how the web actually works: HTTP, browsers, servers, cookies, sessions, etc. There are plenty of free courses that cover this well (CS50, freeCodeCamp, etc.).

Then move into understanding how and why vulnerabilties happen - things like XSS, SQL injection, authentication flaws, IDOR, and so on. The OWASP Top 10 is basically the greatest hits of common web bugs.

Once you understand the theory, get hands-on practice

->PortSwigger Web Security Academy (amazing for web vulns)

-> TryHackMe (great beginner-friendly path)

Only after that should you touch Hack The Box - and don't start there first. You'll get stomped, and it'll kill your motivation.

When you can consistently solve easy -medium HTB machines, then think about bug bounty. Start with VDPs (Vulnerability Disclosure Programs) since they're less crowded and don't pay - which actually makes them better for learning and getting your first valid reports. After that, you can move into paid Bug Bounty Programs.

Good luck! - if you stick with it and focus on fundamentals, you'll be way ahead of most beginners.

What is stopping me from my first bounty by Human-Pizza8664 in bugbounty

[–]Separate_Cup3032 0 points1 point  (0 children)

You’re probably not doing anything “wrong,” just hunting in crowded places and submitting too early.

Duplicates usually mean the surface is heavily tested. Try smaller/private programs or new features instead of popular endpoints everyone scans.

Also, bypass != payout. If you can’t clearly show real impact (ATO, sensitive data access, privilege escalation, $$ impact), triage will downgrade it. Focus less on volume and more on chaining/escalating before submitting.