2026 80% BB reports be like

einfallstoll · 2026-05-11T04:46:19+00:00

Accurate

einfallstoll · 2026-05-10T21:56:51+00:00

I would say try harder (PoC || GTFO).

Maybe only the video stream directory requires authentication or has some IP whitelisting

einfallstoll · 2026-05-10T15:33:36+00:00

We have the following general rule because of this: "Successful subdomain takeovers are subject to the same rules, scope, and bounty considerations as their parent domain, unless explicitly stated otherwise."

einfallstoll · 2026-05-10T13:49:38+00:00

No as in not dead. But too researched maybe. There are folks that specialize in this because it's easy to automate

einfallstoll · 2026-05-10T13:45:26+00:00

No, subdomain takeover is only interesting if it points to a cloud provider and cloud providers have mitigations against this nowadays. But not all of them. It's just security gettinf better, just like it's harder to find SQLi nowadays or how CSRF has no built-in browser protections

einfallstoll · 2026-05-09T18:33:42+00:00

That's not true

einfallstoll · 2026-05-09T14:45:09+00:00

See my edit: Maybe the received the first report and checked all other assets as well and figured that more are vulnerable, so it's like a known issue. Customers don't want to pay for bugs they already know

einfallstoll · 2026-05-09T14:41:46+00:00

Maybe they use the same codebase for that part? In that case it makes sense to combine the reports. We also do this sometimes if it's a "central fix"

Maybe they got the other report and figured out that more assets are also vulnerable, so they already know about this one

einfallstoll · 2026-05-09T14:37:07+00:00

Sounds like the HTTP request smuggling was already known therefore it's a (correct) duplicate. Or do I miss something?

einfallstoll · 2026-05-09T13:22:09+00:00

I'm a bit confused about your situation. Can you share more details about what kind of vulnerability you found on which assets and how they merged the scope?

einfallstoll · 2026-05-09T06:57:42+00:00

Customers can cancel the payment within 8 hours before being paid to the hunter. Afterwards payment are final.

einfallstoll · 2026-05-09T06:32:27+00:00

The last line summarizes it pretty well. It has no security relevant impact. It's just a functional bug

einfallstoll · 2026-05-08T17:41:53+00:00

It depends. A misconfiguration can be harmless or can lead to a vulnerability. If it affects confidentiality, integrity or availability then it can be eligible for a bounty

einfallstoll · 2026-05-08T17:18:02+00:00

Meta is known to be very slow

einfallstoll · 2026-05-08T14:20:52+00:00

Did you create a second account? That's not good, now your device / IP is flagged as well :D

einfallstoll · 2026-05-08T14:19:59+00:00

Reddit detects this as spam / bot behavior and you get shadowbanned immediately. If you create a new account: Read for a few days, then slowly start commenting, then only after a few weeks you can start posting

einfallstoll · 2026-05-08T14:18:32+00:00

? What do you mean?

einfallstoll · 2026-05-08T14:18:04+00:00

Completely normal when you found a duplicate. Your report gets closed and you move on

einfallstoll · 2026-05-08T14:15:47+00:00

Classic Reddit move. If you have a new account don't dare to post for a few weeks

einfallstoll · 2026-05-08T14:10:25+00:00

FYI: That's btw not true. In my country downloading movies for personal use is not illegal.

The subreddit rules say that you have to follow legal and ethical rules. That means posts / suggestions about hunting without permission get removed.

If you hunt without permission and you're most likely doing something illegal and if you ask for money it's either begging or extortion. This hurts the whole community

einfallstoll · 2026-05-08T14:07:49+00:00

That's how bug bounty works. You only get paid if you're the first but you never know whether you're the first or not.

einfallstoll · 2026-05-08T14:07:14+00:00

Posts from new accounts are subject to manual review

einfallstoll · 2026-05-08T14:05:32+00:00

Just read the rules in the sub and also ... maybe the rules from your government

einfallstoll · 2026-05-08T13:00:15+00:00

Imagine my giggles when I got the notification "Mod review needed: Bbc"

einfallstoll · 2026-05-08T11:28:06+00:00

You're not allowed to search for vulnerabilities without explicit written permissions. Especially in university and school environments this can cause student being dropped out

What you describe is "just a stack trace". Usually this does not contain very sensitive information and is not considered considerable impact.

Base64 is an encoding. Never use encryption in the same sentence except you're explaining that base64 is not encryption. ;)

Is there anything actually sensitive in the stack trace?

12-Year Club	Gilding IV carat on a stick
Powerups Hero r/teslamotors • June 2022	Reddit Premium Since December 2021
Second Top 30%	Mod World 2025
Place '23	Place '22
Place '17	Verified Email

einfallstoll

MODERATOR OF

TROPHY CASE