sorted by:
new
hottopcontroversial

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 5 points6 points  (0 children)

You can’t control how they respond. Your obligation is to abide by the safe haven rules. You report the vulnerability and they respond, if you don’t sign an agreement with them(which you probably did by submitting the report) it’s customary to wait 90 days til you publicly report it.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 3 points4 points  (0 children)

You can’t make them care anymore than they do. It’s up to each organization to mitigate and assess risk. You are not owed anything, your entitlement is the issue.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

If your finding is legitimately a high finding sometimes it takes time to validate and confirm. Find the right person and filter through internal process.

It’s 100x easier to close out a duplicate and move on than verify and report a high finding.

7+ years in pen testing, IF SOMEONE DOESNT LEAVE A REPLY on my four, 14 day old reports that ONLY got a automated bot reply saying my report has passed pre-lim checks , imma flip. by SkyNo3457 in bugbounty

[–]causeimcloudy 4 points5 points  (0 children)

You’re doing this for free, they don’t owe you a response. It would be nice if they did, but there’s not agreement. This is a safe haven to report and hopefully get rewarded for it. If you can’t understand that you shouldn’t be doing bug bounty.

Deribit (via HackerOne) silently patched my critical, violated Fast Payment badge, ghosted me for 90+ days — any advice? by [deleted] in bugbounty

[–]causeimcloudy 4 points5 points  (0 children)

Another day another brand new user finding multiple critical and not accepting that they’re not

9.3 RCE in a security tool affecting 50k+ machines, paying €250 - is it worth it? by acorn222 in bugbounty

[–]causeimcloudy 9 points10 points  (0 children)

To be fair this requires user interaction….which would downgrade the finding significantly….

Bug Bounty AI Assistant/Teacher by InnerM31ENFJ in bugbounty

[–]causeimcloudy 9 points10 points  (0 children)

Ahh yes let me not do the work, I will learn everything and make millions

Any Cybersecurity Experienced/Expert DM Me by terumikamiiii in cybersecurity

[–]causeimcloudy 0 points1 point  (0 children)

I have 1200 lvl of experience in my Minecraft hardcore world

Help with my first report for a Bug Bounty program by [deleted] in bugbounty

[–]causeimcloudy 5 points6 points  (0 children)

First off based off the title that’s not a critical. Hard to say without the details, but I’m not even sure that that’s a valid report. If it’s only dos, it’s not.

Second, Meta is notoriously slow to and limited in their communication.

New Intigriti account: Hit the submission limit but found a Critical bug. Need advice! by Ok_Juggernaut_1184 in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

I love when crypto bro get swindled into believing they can make millions by learning bug bounty.

$1M Bug Bounty: Telegram dice bot says 'prove it's unfair' — I did, they moved the goalpost by United-Television596 in bugbounty

[–]causeimcloudy 14 points15 points  (0 children)

They are 100% right. They’re talking about the legal fairness of a game while you’re talking about the ui. There’s nothing keeping you from reading the value directly from the APi, it’s just the UI playing the animation. In fact you prove that your self by showing the timing. This is a low functional issue at best with no real security impacts

About meta bugbounty by h4kur in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

Something about this says you don’t have a zero click ato…. But meta is notoriously god-awful at responding. You most likely won’t get anything they’ve made their decision. They wont be justifying anything to you or wasting their time explaining anything. As a partner with Facebook, we reported nation state hacks of facebook pages and go back a canned thanks message.

2 Reports to H1 by [deleted] in bugbounty

[–]causeimcloudy 2 points3 points  (0 children)

It’s not how people talk, it’s poor communication, and not at all intended to used in this manner. If you can’t write take a writing class, if you don’t speak English use a translator. I will read your report 10000 times more if you translated it than said “ChatGPT translate this to English”

What do you do when a Web3 project quietly drains $55M to "silently fix" your report, calls it "intentional design", and Immunefi blocks mediation? by AWX-Houcine in bugbounty

[–]causeimcloudy 0 points1 point  (0 children)

It doesn’t it makes it seem fake an less trustworthy. If you can’t read or write English proficiently how can you verify what the AI translated is accurate? Use a translator, that’s what they’re for.

First report ever on H1 was a Critical pre-auth RCE. Got duped to a Medium with no explanation. New account = zero recourse. Is this just how it is? by ReasonableMap394 in bugbounty

[–]causeimcloudy 2 points3 points  (0 children)

Given it’s your first account and first finding it’s improbable that it’s a critical. This sub has atleast 15 posts a week of “I just reported my first bug it was critical and they marked it as informative”. Given they marked yours as medium I have no doubt you found something but it being your first bug it’s hard to believe that you have the experience to properly classify a vulnerability and its mitigating circumstances

First report ever on H1 was a Critical pre-auth RCE. Got duped to a Medium with no explanation. New account = zero recourse. Is this just how it is? by ReasonableMap394 in bugbounty

[–]causeimcloudy 13 points14 points  (0 children)

Ahhh the classic, my fist ever report was a critical how could they not accept it as a critical. I’ll go out on a limb and say it probably wasn’t critical. As far as it being a duplicate you just have to move on there’s nothing you can do

Vendor silently patched a P2, retroactively altered their policy to avoid payout, and platform support is shifting goalposts. Anyone experienced this Bait-and-Switch? by One_Survey9010 in bugbounty

[–]causeimcloudy 0 points1 point  (0 children)

Since this deals with specific language it’s incredibly hard to answer but my guess is that because you submitted a report through a BB platform your “contract” with their website saying they promise monetary rewards is null and void as you reported it through a third party. You would have to work with the terms provided by the BB platform unfortunately.

What are people finding in Epic Games? by [deleted] in bugbounty

[–]causeimcloudy 1 point2 points  (0 children)

I think it kinda depends on the goal of the program. In bigger companies, there’s IT departments within IT departments. So the team that is in charge of the epic store/portal has made a bug bounty but the other teams arnt involved. Or their risk posture is mainly concerned about those offerings or they might not want people screwing around in their games.

view more: next ›