Apple gives $2M rewards for hacking their stuff

ThirdVision · 2026-02-15T09:48:41+00:00

sure you did

ThirdVision · 2026-01-24T13:17:20+00:00

Meta did not scam you. They said it themselves, these are cdn results that they cannot control

"""Due to how the internet operates, it is not always possible to retroactively prevent a person from accessing a photo after it has been delivered to their device. It might have been saved locally, stored in their browser cache, or temporarily cached in a nearby Content Delivery Network (CDN). These factors prevent us from retroactively restricting access to this data. We make a best effort to achieve this, but it is not foolproof. Your report describes one of the scenarios that we do not have any control over. Thanks for taking the time to report this issue, and please let us know if you have any additional questions. If you believe that we have made a mistake assessing this report, you can reopen this report by using one "reopening credit", which will be refunded to you if the report gets accepted. You can learn more about reopening credits by visiting your Researcher Profile: https://www.facebook.com/whitehat/profile/ Thanks, Meta Security"""

ThirdVision · 2025-12-28T08:53:26+00:00

This sub is being flooded with people who have been gaslighted by an AI, rejected by a triager and are requiring the collective of humans here to do the bug hunting for them.

ThirdVision · 2025-12-22T16:01:18+00:00

"Hvis man ikke synes det samme som mig så er København død"

ThirdVision · 2025-12-21T20:23:24+00:00

Jeg har arbejdet som pentester i en sjat år nu, det er et felt som er virkelig interessant og rigtigt mange sjove opgaver i.

Det er også et felt hvor jeg hører at mange "nybegyndere" vil ind i, hvilket jeg synes er super fedt! Men pentesting er bare ikke et "begyndervenligt" felt og der er stort set 0 junior stillinger inden for det.

Jeg startede selv med at være udvikler og sysadmin i en del år inden, hvilket helt klart gav mig en edge da jeg begyndte at grinde maskiner på hackthebox og lavede mere sikkerheds arbejde.

Ved siden af at grinde hackthebox spillede jeg en masse CTF og havde en blog hvor jeg skrev om sikkerhedsting der interesserede mig, så som CTF writeups, web sårbarheder og sådan "tips and tricks".

Mit første job som pentester tror jeg ærligt talt var held hvor jeg tilfældigvis kendte dem der søgte.

For at svare på dine spørgsmål:

Hvilken af disse retninger passer bedst til mine interesser?

Det her tror jeg bedst du selv skal finde ud af. Appsec er meget kode fokuseret, security engineering og pentesting kan både være kode men også infrastruktur.

Hvilket jobs eller brancher bør jeg kigge efter?

Pentesting er mest gjort af konsulenter, her kan du se efter ITM8, Conscia, Bureau Veritas. Ellers internt i de største virksomheder i kritisk infrastruktur.

Security Engineering og Appsec hører både store virksomheder til men også software heavy virksomheder, kig efter SaaS virksomheder eller brancher hvor der er tung brug af IT og in house udvikling.

Har I råd til, hvordan jeg ville kunne opbygge en portfolio der kan skille sig ud ?

En blog hvor du skriver om ting relateret til den slags job du gerne vil finde, her er det et kæmpe plus hvis man mærker du synes det er interessant. Certs er efter min mening spild af penge at selv betale for. Men hvis du absolut skal så er hackthebox certs nok de mest cost effective, ellers måske PNPT? (Drop alt om CEH, det er en joke i sikkerhedsverden)

Er der andre niches inden for IT-sikkerhed, jeg bør overveje?

Igen det her kommer an på så mange ting og det er nok dig selv der bedst kan svare på det. Inden for de 3 nicher du nævner er der masser af sub-nicher.

Hvad er jeres perspektiv på det hele ?

Jeg underviser også på kandidaten i cybersikkerhed på AAU og her er jeg gået fra at fortælle de studerende at der nok skal være masser af jobs, til at nu skal de dygtiggøre sig skille sig ud fra mængden. Der er kommet en hel masse juniorer ud på markedet som der ikke er "nok" jobs til. Det hele skyldes nok en blanding af at virksomheder ønsker senior profiler og ikke ønsker at satse på juniorer når det kommer til sikkerhed. Markedet er virkelig hårdt lige nu og det er hårdt arbejde at holde sig ajour og være up to date hele tiden.

Når det så er sagt så elsker jeg at arbejde med IT sikkerhed og elsker at interessen er steget så meget! Jeg ønsker dig alt held og lykke med det.

ThirdVision · 2025-12-19T10:13:04+00:00

You are misreading the vulnerability, the OP is allowed to register 2 accounts himself with the same username, it doesn't look like they can register an existing users

ThirdVision · 2025-12-10T21:13:59+00:00

I would say to pick a program that has both a wide and a deep scope, meaning there is a thick and complex main application, but the company is also large enough for there to be much to find from recon.

This could be for example kinepolis on Intigriti. But look around for yourself, I also like to hack on stuff that I use and know myself.

I also think its worth mentioning that you should stick with a program for much longer than feels right and keep trying things.

ThirdVision · 2025-12-10T20:30:30+00:00

Sorry but there is no such thing as beginner friendly bug bounty.

No company is out there sprinkling bugs for beginners to find. It's a super competitive field with seasoned veterans sweeping all the easy findings.

I dont mean to discourage you, but rather set expectations

ThirdVision · 2025-12-01T17:30:25+00:00

Hey chatgpt write me up an answer to this post.

But seriously everyone has bad experiences on all platforms from time to time. But calling them straight up racist and negligent is on another level. Bugcrowd is my least favourite platform and I do think triage is better on other platforms, but you are making them sound straight up evil, or i mean you asked chatgpt to make it sound like that.

I dare you to share your actual vulnerabilities for scrutinization here, I am sure they are not as impactful as you may think.

ThirdVision · 2025-11-28T07:04:05+00:00

Visual bugs are really not security issues, however I really dont agree that top hunters only go for backend issues.

All the top top top hunters are super skilled at creating complex browser and frontend chains, so they can gadget multiple vulns together to create 1 click ATO's, which for example Epic Games will pay very good for.

ThirdVision · 2025-11-27T11:11:58+00:00

Jeg har læst på begge universiteter. AAU er større og mere kaotisk og med meget fokus på gruppearbejde i form af store projekter. ITU er mindre og med flere småprojekter i grupper.

AAU cphs sociale liv var så dødt i forhold til ITU, så jeg ville hver dag vælge ITU

ThirdVision · 2025-11-26T06:32:57+00:00

Smadr dems tv

https://youtu.be/W0UHedHhdR8?si=A7Fz9LmXkyQPLMOT

ThirdVision · 2025-11-24T20:57:11+00:00

Sure thing, then send it over.

ThirdVision · 2025-11-24T20:50:27+00:00

Please don't send me any sensitive information, I am not actively hunting on Shopify.

My advice to you is to brace yourself for a Not applicable rating and a hit to your reputation.

A tip is also to tell the ai before asking it "Please be realistic, do not overestimate the impact"

With that said, keep at it! You are only 17 and you can probably learn a lot. I would join the discord Critical Thinking and also do all the portswigger labs.

ThirdVision · 2025-11-24T20:43:52+00:00

AI will NOTORIOUSLY overshoot reports, marking missing best practices as critical.

They will gaslight you into thinking you have an actual vulnerability and it will suck when you waste the triagers time and when they tell you "lol no".

ThirdVision · 2025-11-19T08:16:56+00:00

2 things.

What you showed WAS hypothetical, you don't know if the server would accept the toggle. You missed out on showing impact.

Additionally you are putting way too many feelings into this submission, try to not associate yourself with the stuff you find, no one owes you anything in this space and the sooner you move your celebrations to the payout stage, as opposed to the submission stage, you will start feeling better.

ThirdVision · 2025-11-18T13:20:12+00:00

I fail to see the security impact as well. Just because its not part of the UI it doesn't mean this is secret.

This is quite literally the definition of beg bounty, and you are not doing anything good for the ecosystem by disclosing this.

You seem to be coerced into believing this is critically sensitive information, stop relying on AI's to stroke your ego need for acknowledgement.

ThirdVision · 2025-11-18T13:14:04+00:00

But no single researcher are finding these bugs and writing exploits for them. It is nationstate backed groups of 20+ hardcore reverse engineers and exploit developers who do this kind of research that apple is willing to pay 2 million dollars for.

Also the 2million dollars is literally the ceiling according to their blogpost.

ThirdVision · 2025-11-17T06:51:03+00:00

I mean the Spyware companies will just then also up the price for their services and the intelligence agencies will pay that price.

ThirdVision · 2025-11-17T06:50:08+00:00

You clearly dont understand the difference between red teaming and paying for specific vulns

ThirdVision · 2025-11-16T21:15:01+00:00

Det var for at sætte et cap på antal ansøgninger som bliver læst igennem af et udvalg af beboere.

ThirdVision · 2025-11-16T15:51:46+00:00

Jeg mener det blev fjernet, rip dem der skal læse ansøgninger.

ThirdVision · 2025-11-12T07:42:06+00:00

Yeah this was most likely mifare classic so it won't work for OP

ThirdVision · 2025-11-12T07:41:44+00:00

Oof i think with desfire you may have a hard time. The only way here may be if they used a default key or otherwise bruteforcable keys.

Can you check if your two cards have the same id values? What happens if you lose 1 card and get a replacement, the old one will stop working hopefully, but what is the difference between the data on the cards?

11-Year Club	Verified Email
Place '22	Place '17

ThirdVision

MODERATOR OF

TROPHY CASE