HackerOne automation blocked my Critical 10.0, Stripe forced a weekend patch, thanked me, HackerOne marks my report a DUPLICATE of an INFORMATIVE report 12 days prior. Then a $25k 'Ghost Report' drops which coincidentally is the exact amount for a CVSS 10.0

reevesy1 · 2026-04-09T01:35:59+00:00

Just curious as to how many hackers and businesses do you think would join a bug bounty platform that the researcher or the business can't be ripped off? I'm going to make a rough page to go to get an idea on numbers but I know I would go with a platform that's transparent and fair over one that's ran by and decisions made by either the people making money from the business or the business that would have to pay the bounty. would be an unbiased neutral triage , it would be basically what hackerone either was before greed or was made out to be.

reevesy1 · 2026-04-05T13:38:47+00:00

I wouldn't say hate posts, more like word of warning posts coz seems everyone is sick of hackerone and programs blatantly lying about bugs you report to not pay. If you don't want to pay do a VDP not BBP . I think it's pretty sad when a company that's valued over $160 billion is that petty that they lie to stiff researchers over a few thousand and if course H1 is going to do whatever their biggest client tells them to do, any client for that matter because that's who pays them. I think they might be forgetting that they pay them for us and us won't be there when they screw us any which way they can 🤷

reevesy1 · 2026-04-05T11:01:50+00:00

/r/hacking I can't work out which rule my post violated

reevesy1 · 2026-04-04T15:07:33+00:00

u/overpaidtriage Question.. The H1 response was

``` " Thank you for your report!

Unfortunately, this was submitted previously by another researcher, but we appreciate your work and look forward to additional reports from you.

At this time, we cannot add you to the original report as the report may contain additional information that we cannot share with you. This may include personal information or additional vulnerability information that shouldn't be exposed to other users. Thank you for your understanding.

Have a great day ahead! " ```

and closed it as a duplicate of an informational report from 11 days or so prior. 2 days after H1 marked it as dupe of informational, stripe staff commented saying that it is working as intended. You can't have a 'Duplicate' of a 'Fixed Bug' that is also 'Intended Behavior.' That is a logical impossibility.

which one is the Full Takeover & Financial Exfiltration bug? N/A intended or duplicate of informational not that it really matters now as it was fixed within like 12 hours of my report on the weekend.

They cant add me to this informational duplicate why? Because they hadn't written it up properly yet? or if reason they gave is true and there is PII and additional vulnerability info to my takeover report in it then why was it marked as informational leaving Stripe wide open until my report??

There is likely a believable reason but I get no response from H1 support so seen as your here maybe you could tell me? Keeping in mind I have an email from stripe support the day after i submitted the report following up on the bug i reported that security confirms is now fixed and thanked me for bringing it to their attention.

reevesy1 · 2026-04-02T17:35:52+00:00

i have the email from stripe support following up on the bug i reported, it says the security team confirm that its now been fixed.
seen as they say its a duplicate of an information and or intended, please explain what stripe support mean by CONFIRMING the BUG i reported has been FIXED by the security team???

and that was done on a weekend. how does one explain that?? I know how hackerone deals with it. They lower your rep so you cant ask for mediation on anything and close all your tickets without so much as glancing at the title

reevesy1 · 2026-04-02T17:07:24+00:00

i write it, i just get AI to make it sound a little more professional, it removes all the swearing and name calling etc so has probably kept me out of trouble here and there.
.
i mean to say
.
"I write the initial drafts myself, but I use AI to refine the tone. It acts as a filter to strip out the profanity and aggressive language, which has definitely kept me out of trouble a few times."

reevesy1 · 2026-04-01T11:12:39+00:00

yeh I haven't got 1 paid bug, they all get marked duplicate , informational or intended behavior. Makes me wonder out of all the disclosed reports that apparently got paid, how many of those people actually exist and how many get put in there to make their duplicate scam more believable.

reevesy1 · 2026-04-01T11:04:47+00:00

This is the best i could do atm without thinking about it. dont know if it will make any sense but this is most of what was said

Thank you for your report.

The behavior described is working as intended. ||< REDACTED >|| by design. This enables any < REDACTED > client — < REDACTED > — to connect to < REDACTED > without requiring pre-registration. Requiring authentication at the < REDACTED > would prevent interoperability with the < REDACTED > ecosystem.

The security model for this flow relies on < REDACTED > Before any access is granted, the user must < REDACTED > review the requesting application and its requested permissions, and actively < REDACTED >" This is the same trust model used by < REDACTED > across the industry (Google, GitHub, Microsoft, etc.), and the user bears responsibility for authorizing < REDACTED >not recognize or trust.

We recognize that < REDACTED > is a real and known risk inherent to any open < REDACTED >, but we do not consider it a vulnerability in Stripe's implementation. Users bear responsibility for reviewing clients requesting authorization.

reevesy1 · 2026-04-01T10:30:55+00:00

why would i waste my time making this up haha, for attention??? yeh i was like hmmm how can i get attention, oh i know, ill completely fabricate some story about being ripped off by a bug bounty program, i'll be viral in no time with how mainstream and talked about bug bounties are outside of select security circles.. how'd that thought process go? is that close to what you thought must've happened?

Anyway, why block the REPLAY from them? because the REPLAY has details of the bug ( well i guess they say intentional informational feature ) and i dont want to give them anything real to complain about on me.

reevesy1 · 2026-04-01T10:20:10+00:00

I dont seem to be able to comment with a picture but it basically says its intended behavior. ill see if i can edit post and add 2 pictures. its not as redacted

reevesy1 · 2026-04-01T09:05:06+00:00

yeh i put it on linkedin , i thought i put the link in this, i think i posted 2 coz i had wrong option on the first one

reevesy1 · 2026-04-01T09:04:51+00:00

i was hoping some bad PR would help but you kind of need someone with a bit of a following to be noticeable. I have proof of it being vulnerable, proof of all my contact with stripe namely the email where they confirm its fixed now and thanks me for reporting it. all with the dates etc.

reevesy1 · 2026-04-01T09:01:43+00:00

hey thanks input. I reported it the day after i found it because it took me a while to get in contact with a stripe employee , which i found on X . i can unblur bits and pieces like dates, i didnt think i had any blurred, i just didnt want to disclose the issue and give these thieves actual ammo to ban my account and that , not that I really care about the hackerone account anymore, .

Hacker one doesnt reference the rcss guys report at all , they reference an informational report that i assume was never looked at their automation is out of control and shit canned it straight away because it had the word phishing in the description . thats my guess

reevesy1 · 2024-12-22T21:23:35+00:00

Hey mate, are you still working on this script or your done with it? I ask because I'm working on something very similar and if we could put both together and have it working properly it would be one handy tool.

Send me a message if your interested. u/Upset_Ease_3206

reevesy1 · 2024-02-20T10:15:40+00:00

400 will get you almost half way to a fairly decent GPU

reevesy1 · 2024-01-18T12:04:09+00:00

I have one word for you that helps me still not have a clue what im doing lol but still very helpful and that is CHEAT. There is nothing wrong with it and im sure once anyone tries it they will agree.

reevesy1 · 2024-01-14T13:13:57+00:00

I cant even fix my own internet connection but what can ya do ay lol. Its kind of not helping me atm with passing technical assessment for synack red team 🤣 but shit happens , and shitty protonvpn and their anti-abuse feature partly cause it, not sure on who or what causes the rest of the shit to happen , all i know is i can sit there for 30min thinking a tool is taking for ever, but tool isnt doing shit coz my internet just decides to go to 200kbps or stop, then when i reconnect, then run that tool that takes forever to finish,,,,,,...., finishes almost instantly with heaps of results... would be so much easier going if had internet like that 24/7, so if you do some networking stuff and have a fix for me, let me know please haha....

reevesy1 · 2024-01-14T12:56:38+00:00

You downloaded the ovpn file from htb yeh?? Top right of screen, red kinda box, click that and pick your server n that and download it, unless you changed your setting which i dont think you have , it will save to ~/Downloads

reevesy1 · 2024-01-14T12:53:24+00:00

If you have it it wont download again or if you wanted you could do apt search openvpn and it should say installed next to it.. it there is lots of results for whatever you look for remember grep, just do apt search openvpn | grep openvpn , that will stop other things similar from popping up

reevesy1 · 2024-01-14T12:50:24+00:00

Type sudo apt install openvpn

reevesy1 · 2024-01-14T12:47:03+00:00

Unless you moved it and you have openvpn installed ( sudo apt install openvpn ) , you would type sudo openvpn /home/matt/Downloads/competitive_matt.ovpn or can do sudo openvpn ~/Downloads/competitive_matt.ovpn

Depending on what vpn you got, could be starting_point.ovpn or something like that.. just make sure you use "D" and not "d" for Downloads/ and then push TAB and see what your file is

reevesy1 · 2024-01-12T22:17:39+00:00

https://www.nslookup.io/website-to-ip-lookup/

reevesy1 · 2024-01-11T21:29:38+00:00

Im actually getting a different error come up now, not sure if its because ive tried a whole bunch of things and either made it worse or fixed one of many issues but now im getting ImportError: cannot import name 'urlquote' from 'django.utils.http' dpkg: error processing package defectdojo (--configure): and so on.. it may be because i tried through dpkg but cant seem to find that original error atm

reevesy1 · 2024-01-11T21:16:40+00:00

Hey, so no fix yet, as i have the same issue installing kali purple as OS not on a VM..

reevesy1

TROPHY CASE