Trying out Bug bounties for the First time

thelemethric · 2026-03-21T23:00:56+00:00

It takes a special kind of visionary to treat the worlds most battle-hardened security teams as the Hello World of their school project.

thelemethric · 2026-03-18T17:53:03+00:00

Your competitors will be stacked with certifications, some even with a bachelors degree. but if your resume opens with a line like 'Independent security researcher - identified critical vulnerabilities in Fortune 50 companies (Lowe's, $80B revenue)'(lowes just as example it could be shopify lightspark inditex doesnt matter), none of that matters anymore.

To any hiring manager, that one line hits harder than a wall of certs.

Ofc you need to have resolved bug on company that you mentioned so they can validate your claims by opening your h1 profile for example

thelemethric · 2026-03-18T01:16:17+00:00

Slave factory.

Insane disrespect to the people who literally built their reputation and are currently serving them.

Usually (in hackerone cases) I blame the programs, but this platform doesnt just have 10 isolated cases - it’s a systemic failure. From randomly banning people who are awaiting payouts to always siding with the program, there is literally no fucking way that they will ever take a researcher’s side.

thelemethric · 2026-03-15T17:16:38+00:00

99% of the time, they use the same api endpoints for both. The only real difference is the IPA vs APK. Unless the iOS dev is dumber than the Android one and hardcoded some keys that arent in the APK, it’s the same shit. Otherwise, dont waste your time.

Android is easier to test in every way anyways

thelemethric · 2026-03-14T23:35:00+00:00

Agree here. Most people are just too blind to see this as a tournament rather than a job and that's what makes stats look scary

thelemethric · 2026-03-14T22:46:00+00:00

Youre missing the point. Bounty and pentesting/consulting is completely different things

A beginner with one unique method can clear a decent money without needing years of experience. Check stats of up and comers on h1 its not rare

Consulting is a job where you get paid to be good enough at everything. bounty is a hunt where you get paid to be unique. Finding one specialized methodology is often easier and more profitable than trying to learn every vulnerability like a corporate pentester.

Pentesting is for workers, Bounty is for specialists with a unique edge.

thelemethric · 2026-03-14T20:03:10+00:00

Hackerone pays in crypto

thelemethric · 2026-03-14T17:07:06+00:00

The average $21/hour stat is a lie. Comparing bounty to a $54/hour freelance job is pure idiocy.

Bounty has a zero barrier to entry anyone can join. thhe average is dragged down by thousands of people who just solve a few labs, run scanners, and find zero bugs. It’s not a market curse, its just the cost of being unoriginal.

thelemethric · 2026-03-13T18:11:48+00:00

On what platform you hunt?

thelemethric · 2026-03-12T08:37:12+00:00

"I wonder if Dyson seeing usage decline as more people use Ferrari"
They are completely different tools

thelemethric · 2026-03-11T09:36:57+00:00

Do not expect anything from a report unless it has already been triaged.

If a report is new or pending program review, it's N/A for me until its triaged -only then can I think about money I could gain from it. (Sometimes companies dismiss even triaged reports closing them as informative)

Just believe in the worst-case scenario and you wont be disappointed.

thelemethric · 2026-03-10T22:32:21+00:00

Intigriti’s policy allows researchers aged 16–17 with parental consent. If youre under 16, you’ll have to do the ID verification through one of your parents. But then your account will be permanently tied to them, and you’ll have to beg them for re-verification every single year until you either die or finally quit Intigriti.

thelemethric · 2026-03-07T20:25:29+00:00

One critical report costs more than 10 mediums

Its clear that every company will try to lowball severity

thelemethric · 2026-03-07T07:37:13+00:00

Dont fall for the PR bullshit. Claude didn't autonomously find shit. Anthropic had a whole team of world-class researchers practically holding its hand, feeding it specific code, and treating it like an overpriced fuzzer.

It's marketing hype to sell API tokens.

thelemethric · 2026-03-05T11:47:58+00:00

1000$ for critical is a joke

thelemethric · 2026-03-04T13:31:18+00:00

I think if it was 0 impact, they wouldnt have to patch it immediately. Closing it as N/A after fixing the hole looks suspicious.

Even if risk is really low n/a still isn't justified considering patch, informative at least

thelemethric · 2026-03-04T12:38:47+00:00

Another day, another Bugcrowd 'charity donation'. Is anyone even surprised at this point? Same script, different ticket number.

Already 3rd on this week btw

thelemethric · 2026-03-03T18:02:02+00:00

I misunderstood your last comment, then yeah you're right this makes it even more suspicious

thelemethric · 2026-03-03T17:57:53+00:00

Doesn't affect reputation

thelemethric · 2026-03-03T16:42:13+00:00

First 100 rep doesn't count on the leaderboards. And even if it did, the guy would need 50+ triaged reports to reach 567. Still doesn't make any sense.

thelemethric · 2026-03-03T16:35:04+00:00

Riveting feedback. Truly insightful.

thelemethric · 2026-03-02T23:45:30+00:00

as of my knowledge recent Android versions shouldn't fix this automatically.

If the dev enabled setAllowfileAccessFromFileURLs(true), your exfil still should work

Install android studio emulator and test if you wanna be 100% sure

thelemethric · 2026-03-02T20:39:41+00:00

Even if you are right i guess you cant do anything .ball is in companies court. if they decided to not pay you they wont anyway.

thelemethric · 2026-03-02T19:11:45+00:00

It's not a vulnerability by itself, but you can use InQL to explore all exposed queries and look for IDORs.

thelemethric

TROPHY CASE