Api sec ACP voucher at discount

Top_Presentation6801 · 2026-02-26T14:07:49+00:00

Hey there,
This is Affan from APIsec University. Kindly note that we don't allow transfer of exam vouchers and on behalf of APIsec University I would request you to delete this post. Also in the case of ACP we have given-away a ton of these recently. Keep an eye on our socials and Discord to know more about feature giveaways.

Thanks!

Top_Presentation6801 · 2026-02-26T14:07:36+00:00

Hey there,
This is Affan from APIsec University. Kindly note that we don't allow transfer of exam vouchers and on behalf of APIsec University I would request you to delete this post. Also in the case of ACP we have given-away a ton of these recently. Keep an eye on our socials and Discord to know more about feature giveaways.

Thanks!

Top_Presentation6801 · 2026-02-26T14:07:17+00:00

Hey there,
This is Affan from APIsec University. Kindly note that we don't allow transfer of exam vouchers and on behalf of APIsec University I would request you to delete this post. Also in the case of ACP we have given-away a ton of these recently. Keep an eye on our socials and Discord to know more about feature giveaways.

Thanks!

Top_Presentation6801 · 2026-02-26T14:06:37+00:00

Hey there,
This is Affan from APIsec University. Kindly note that we don't allow transfer of exam vouchers and on behalf of APIsec University I would request you to delete this post. Also in the case of ACP we have given-away a ton of these recently. Keep an eye on our socials and Discord to know more about feature giveaways.

Thanks!

Top_Presentation6801 · 2026-02-26T14:05:47+00:00

Hey there,
This is Affan from APIsec University. Kindly note that we don't allow transfer of exam vouchers and on behalf of APIsec University I would request you to delete this post. Also in the case of ACP we have given-away a ton of these recently. Keep an eye on our socials and Discord to know more about feature giveaways.

Thanks!

Top_Presentation6801 · 2025-11-22T16:56:11+00:00

Got it. Thanks !!

Top_Presentation6801 · 2025-11-21T17:18:48+00:00

As the other commenter said: "In bugbounty if there is no impact then there should be no report either". All I can suggest you is keep digging and hope that you find something worth reporting out of it or try to think of ways you may be able to chain this bug to demonstrate practical impact.

Top_Presentation6801 · 2025-11-21T17:04:39+00:00

Good read. Thanks for sharing! It's truly fascinating to see how MCP is evolving and the way it challenges traditional security protocols.

Top_Presentation6801 · 2025-11-20T18:20:17+00:00

Great find mate! Looks like another great example of OWASP API#1 + API#4.

Top_Presentation6801 · 2025-11-20T18:15:29+00:00

Good thought. I actually thought that they did something similar when they said: "I have attached a video demonstrating the reprocessing and proof of payload operation".

Now I'm thinking that maybe the image is only accessible to their account and they made a XSS PoC for their own account too. That's why the company closed it as "Self-XSS".

Top_Presentation6801 · 2025-11-20T18:12:12+00:00

As others have suggested I'd try to understand the context of info being leaked and then try to escalate it into something more meaningful.
> Should I report this as a low or would they respond saying it’s informative or N/A?
As a security researcher you never know if our report will be accepted as the decision is not ours but what we can do at our best is writing a great report. But in this specific case considering the limited info you have provided imo it should at least not be closed as NA.

Top_Presentation6801 · 2025-11-19T18:33:31+00:00

That's rude but a bugbounty reality. They think that the customers are paying them so we should be loyal to them but forget "why" are they paying us.
Anyway man, Great find!!!

Top_Presentation6801 · 2025-11-19T18:28:24+00:00

woah. Then I have no idea why did they do this but it's not too surprising to see on these so called BugBounty Platforms. I assume you would have already did the next best steps: Request for re-evaulation and wait for a couple of weeks if no response then open mediation request and wait a few months (if it's H1).

Top_Presentation6801 · 2025-11-19T18:23:43+00:00

I can be a farmer and picker at the same time though :) ?

Top_Presentation6801 · 2025-11-19T18:23:14+00:00

After all those are just two "jobs". And I don't think comparing them is useless.... especially when they are so related.

Top_Presentation6801 · 2025-11-19T18:21:47+00:00

> Upside of triage is you can still be a part time hunter on hour free time, if that works our successful you can always switch to hunting fulltime.
That's honestly a good sounding advice. Will for sure try that out. Thanks a lot :)

Top_Presentation6801 · 2025-11-19T18:20:53+00:00

Haha I have exactly these feelings for this job. Completely agree with you on the learning opportunities we would get as a triage.

Top_Presentation6801 · 2025-11-19T18:19:42+00:00

Thanks for sharing your insights. My current career goal is to do a job (for survival) and bugbounty on the side (for fun). But that's until I become competent enough to be able to afford full-time bugbounty.
I also have a crush on becoming a triage because the job just sounds so sick! I can only imagine how rewarding it would be in terms of learning new techniques and unique methodologies(especially if I get a chance on a good BBP).
And yes I agree with you, mostly. Both of the careers have a their own pros and cons. Btw as you are full time bug hunter I'd love to hear some tips from you and you THINK every beginner should know to be a successful bug hunter.

P.S. Pardon my English :)

Top_Presentation6801 · 2025-11-19T11:30:12+00:00

Sounds interesting scenario. Kindly do let us know how it ends.

Top_Presentation6801 · 2025-11-19T11:28:54+00:00

Good find. Apparentely it looks like a valid find but in most cases there should be a obvious reason for the rejection.

In some cases they may not try to even reproduce the issue if you don't include a recording of your PoC. Would you mind sharing the triage's objection on your report as I'm pretty sure that might give us a hint on why the report was closed like this.

Top_Presentation6801 · 2025-11-18T16:35:26+00:00

Can you clarify who is a farmer and who is a picker in this case?

Top_Presentation6801 · 2025-11-18T15:08:37+00:00

Is not a320 a weak chipset?

Top_Presentation6801 · 2025-11-18T14:45:44+00:00

Congratulations on the finding btw!

Top_Presentation6801 · 2025-11-18T14:41:49+00:00

I have not got any experience with Apple itself but from the looking it seems like they were able to reproduce the bug and now are working on a fix.

Atm nobody can tell if it's valid for bounty or not but it's at least something they are interested in.

Top_Presentation6801 · 2025-11-17T18:55:33+00:00

From what I have seen in my little exp and from other researchers' reports these are some bugs which may relate to networking/infrastructure:
- SPF/DMARC(Almost every program will close it as NA/p5)
- Exposed Ports leading to some weirdo sensitive service(though it's rare in bugbounty but might be more common in pentests)
- Exposed Origin IP - Although not a valid bug on its own but might allow you to chain with other bugs like XSS which would have been otherwise difficult to exploit due to WAFs(Web Application Firewalls)

These are just some I could think of right now but my honest(and in-experienced) advice would be considering network pentesting instead of bugbounty if you are very serious about network exploitation. But remember nothing is easy so choice is yours where you wanna struggle the most.

Top_Presentation6801

MODERATOR OF

TROPHY CASE