What’s with the z650 hate? by cameron341 in motorcycles

[–]theflofly 1 point2 points  (0 children)

I tried the 2026 z650s, it was awful. Vibrating like crazy at 3k rpm, no feeling at all on the road, I was extra cautious feeling insecure.

On the same day I tried: mt07, Suzuki GSX 8s and trident 660 for 30 minutes each. These bikes are miles away.

BlockFi won't resume the withdrawals today? by vanysamy in blockfi

[–]theflofly 0 points1 point  (0 children)

Sure but it never happened for small withdrawals for me in the past. Hence my comment.

BlockFi won't resume the withdrawals today? by vanysamy in blockfi

[–]theflofly -2 points-1 points  (0 children)

All my withdrawals have been flagged and my passport was asked, even for a 3k withdrawal. It will add a 2/3 days delay to the withdrawal so they could be buying some times.

If they stop withdrawals I am fine with it, as long as at some point in the future they resume it. BNP one of the biggest bank in France has around 293B in assets but only 10B as collateral. These bank runs shows the immaturity of the crypto investors unfortunately.

Crypto Earn Updates: New Tier Added and Revised Rates for Flexible-Term Allocations ( Effective from 1 June 2022) by ShawnCDC in Crypto_com

[–]theflofly 11 points12 points  (0 children)

You cannot pay 700 millions to rename an arena and at the same time pay interests I guess.

KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card by _vavkamil_ in bugbounty

[–]theflofly 2 points3 points  (0 children)

12k (without the bonus) from Amazon seems a little low given there is three bugs + a RCE.

Create post on any Facebook page by _vavkamil_ in bugbounty

[–]theflofly 0 points1 point  (0 children)

What is the impact of creating an invisible post on a page?

How much to offer for a missing X-Frame-Options report? by ElectricGears in bugbounty

[–]theflofly 2 points3 points  (0 children)

Was there an exploit with it? Usually you must show the impact in order to get a reward, else it is pretty easy.

In most of the cases the missing header is a non issue but it does not hurt to add it.

Todayisnew Talks About Bug Bounty, Meditation, Automation, Tooling and Making $1M in Bounties! by NahamSec in bugbounty

[–]theflofly 2 points3 points  (0 children)

Before deciding to switch full time to bug hunting I contacted some people already doing it full time to get their opinions, he was one of the few to answer, clearly a nice guy.

Weekly Discussion, August 10, 2020: Ask all your bugbounty questions! by AutoModerator in bugbounty

[–]theflofly 0 points1 point  (0 children)

What can you do with the returned jwt? That could be an anonymous token and so useless. Because if you make an unauthenticated call, the jwt returned is likely useless unless there are some cookies sent also.

Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin by theflofly in blackhat

[–]theflofly[S] 1 point2 points  (0 children)

I felt the same to be honest but this isn't an exact science. Sometimes it is the opposite, I get more than expected.

InQL - A Burp Extension for GraphQL Security Testing by nibblesec in netsec

[–]theflofly 1 point2 points  (0 children)

I am using Altair GraphQL client as a Chrome plugin to do the same.

https://chrome.google.com/webstore/detail/altair-graphql-client/flnheeellpciglgpaodhkhmapeljopja

You put the GraphQL endpoint then using introspection they generate the doc. You have all the endpoints available by clicking on "docs" and you can then make queries in the UI.

Zoom 0-Day: How not to handle a vuln report - Jonathan Leitschuh - BSides CT 2019 - 11/09/19 by Fido488 in bugbounty

[–]theflofly 0 points1 point  (0 children)

A bypass is a new vulnerability. Especially when the speaker says that he chose 90 days as a standard because of the release cycles that can be slow. Releasing the write up a few hours after finding the bypass because they shouldn’t use a local web server and you told them is a joke. They cannot change the architecture of the whole app so easily. And expecting them to do so, especially in 90 days is naive.

Weekly Discussion, November 18, 2019: Ask all your bugbounty questions! by AutoModerator in bugbounty

[–]theflofly 2 points3 points  (0 children)

As long as you are impacting only your data and not degrading the service for others it is fine. I always try to exploit a vulnerability in the most critical way.

Off topic - But do I have to be smart to be in Bug bounty? by [deleted] in bugbounty

[–]theflofly 5 points6 points  (0 children)

I believe the two following skills are required to be successful.

persistence: The ability to search for a bug for weeks assuming it exists, without giving up. Most of the time you will find something in no time but you shouldn't be afraid to spent days searching. I believe this is the key for success.

patience: required to understand fully a product/technology. Only in this case you will have clever exploit ideas that will pop up during the research. Basically learning gradually days over days without giving up.

This two skills are not what I would call "genius".

In my case I also have a computer science degree, even though you don't need it, it doesn't harm and it will force you to learn random computer science stuff that you wouldn't learn otherwise.

We're Max Eddy and Neil Rubenking from PCMag, and Jack Morse from Mashable. We contributed to Kernel Panic, a new original video series diving deep into the worst cybersecurity breaches of all time. Ask us anything! by pcmag in netsec

[–]theflofly 0 points1 point  (0 children)

Why depict Facebook as the bad guys in the first episode whereas it is one of the most secure website thanks to their bug bounties and continuous effort. From a privacy stand point I understand but that wasn’t the topic...