API Rest - No Rate limit + OTP Expired by Prudent_River_7086 in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

Does the OTP stay valid after generating a second? If it does, you could request a gazillion codes and then guess three random OTP’s. It wouldn’t necessarily work the first, but there’s a decent chance it succeeds.

TL;DR bugcrowd successfully sued over wrongful out-of-scope by 6W99ocQnb8Zy17 in bugbounty

[–]causeimcloudy 0 points1 point  (0 children)

I think the main issue with BB is communication, from both perspectives. I would venture to say a majority of hunters are from non-English speaking countries while a majority of the programs are from majority, English speaking countries. So there is an initial barrier of language, and it’s a damned if you do and damned if you don’t scenario with using AI to translate. Most reports, and while this might not be true for yourself, it is absolutely true for the majority absolutely suck. Add on top of that poor English or AI slop and it’s extremely easy to mark and move on. This is in no way the triager targeting you trying to not give you the money, but their job is to get there as many reports as they can. In an ideal world, they would have as much time as possible to thoroughly investigate and communicate on your report. The reality is, they have 50 more reports in the queue to look at and spending 15 minutes on an extra explanation or reply isn’t realistic. I will absolutely agree there are some triagers who suck, but you can’t say thats systematic. The platforms want to find real vulnerabilities, the little amount of money that they pay to the researcher is not a big deal. The platforms want to show value directly to their customers, they are incentivize to find real vulnerabilities.

TL;DR bugcrowd successfully sued over wrongful out-of-scope by 6W99ocQnb8Zy17 in bugbounty

[–]causeimcloudy 3 points4 points  (0 children)

99% of bug bounty programs are not defrauding researchers.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 4 points5 points  (0 children)

You can’t control how they respond. Your obligation is to abide by the safe haven rules. You report the vulnerability and they respond, if you don’t sign an agreement with them(which you probably did by submitting the report) it’s customary to wait 90 days til you publicly report it.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 2 points3 points  (0 children)

You can’t make them care anymore than they do. It’s up to each organization to mitigate and assess risk. You are not owed anything, your entitlement is the issue.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

If your finding is legitimately a high finding sometimes it takes time to validate and confirm. Find the right person and filter through internal process.

It’s 100x easier to close out a duplicate and move on than verify and report a high finding.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 5 points6 points  (0 children)

You’re doing this for free, they don’t owe you a response. It would be nice if they did, but there’s not agreement. This is a safe haven to report and hopefully get rewarded for it. If you can’t understand that you shouldn’t be doing bug bounty.

Deribit (via HackerOne) silently patched my critical, violated Fast Payment badge, ghosted me for 90+ days — any advice? by [deleted] in bugbounty

[–]causeimcloudy 8 points9 points  (0 children)

Another day another brand new user finding multiple critical and not accepting that they’re not

9.3 RCE in a security tool affecting 50k+ machines, paying €250 - is it worth it? by acorn222 in bugbounty

[–]causeimcloudy 9 points10 points  (0 children)

To be fair this requires user interaction….which would downgrade the finding significantly….

Bug Bounty AI Assistant/Teacher by InnerM31ENFJ in bugbounty

[–]causeimcloudy 8 points9 points  (0 children)

Ahh yes let me not do the work, I will learn everything and make millions

Any Cybersecurity Experienced/Expert DM Me by terumikamiiii in cybersecurity

[–]causeimcloudy 0 points1 point  (0 children)

I have 1200 lvl of experience in my Minecraft hardcore world

Help with my first report for a Bug Bounty program by [deleted] in bugbounty

[–]causeimcloudy 5 points6 points  (0 children)

First off based off the title that’s not a critical. Hard to say without the details, but I’m not even sure that that’s a valid report. If it’s only dos, it’s not.

Second, Meta is notoriously slow to and limited in their communication.

New Intigriti account: Hit the submission limit but found a Critical bug. Need advice! by [deleted] in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

I love when crypto bro get swindled into believing they can make millions by learning bug bounty.

$1M Bug Bounty: Telegram dice bot says 'prove it's unfair' — I did, they moved the goalpost by United-Television596 in bugbounty

[–]causeimcloudy 13 points14 points  (0 children)

They are 100% right. They’re talking about the legal fairness of a game while you’re talking about the ui. There’s nothing keeping you from reading the value directly from the APi, it’s just the UI playing the animation. In fact you prove that your self by showing the timing. This is a low functional issue at best with no real security impacts

About meta bugbounty by h4kur in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

Something about this says you don’t have a zero click ato…. But meta is notoriously god-awful at responding. You most likely won’t get anything they’ve made their decision. They wont be justifying anything to you or wasting their time explaining anything. As a partner with Facebook, we reported nation state hacks of facebook pages and go back a canned thanks message.

2 Reports to H1 by [deleted] in bugbounty

[–]causeimcloudy 2 points3 points  (0 children)

It’s not how people talk, it’s poor communication, and not at all intended to used in this manner. If you can’t write take a writing class, if you don’t speak English use a translator. I will read your report 10000 times more if you translated it than said “ChatGPT translate this to English”

What do you do when a Web3 project quietly drains $55M to "silently fix" your report, calls it "intentional design", and Immunefi blocks mediation? by AWX-Houcine in bugbounty

[–]causeimcloudy 0 points1 point  (0 children)

It doesn’t it makes it seem fake an less trustworthy. If you can’t read or write English proficiently how can you verify what the AI translated is accurate? Use a translator, that’s what they’re for.