r/bugbounty

Before learning vulnerabilities, how much web development should I actually needed to know?

Like how deep should I go into HTML/CSS/JS?

Does I only need to learn how react, next js work or I needed learn enough to make web or apps through these ?

Also if there any tips to start .

As I'm seeing many reddit posts some people saying bug bounty has money , many bugs , worth to start 2026 and some saying it's soo saturated, no money for beginners, AI can do it in seconds(not telling how and when).

Just need a proper answer.

Please seriously I needed help!!

Thankyou in advance.

Hey guys,
I’ve done a couple of bounties on hackerone and have yet to be paid out for any of them. they seem to always have an excuse for not paying out. this last time they stated it was a duplicate bug. is there a place on h1 that i can see what bugs were submitted to a project? i’m starting to feel like h1 doesn’t actually payout to anybody
thanks for any advice!!

Found a bug in a bugcrowd private program which is more like a booking system, it has a SaaS for businesses and a customer portal. The SaaS is inaccessible for some reason so I've been testing the customer portal only for now.

That customer portal links to the business one in the sense people who post bookings on it are the people with access to the SaaS, and the people accessing those bookings are the customers obviously

I found a bug that lowkey allows me to add an unavailable schedule for a staff member to make it available for them, But since I can't do that to my own bookings considering I can't even access the SaaS, Can I report it with minimal PoC or will it be considered destructive testing by the program?

Hi everyone,

I’m researching restricted JavaScript execution contexts and I’m curious about browser behavior when several characters are filtered.

For example, these characters are blocked:
/ $ % ) { } ' <

Because of that, common patterns like fetch().then() cannot be used.

I can still make requests to external endpoints, but I’m unable to read the response data or send the retrieved data elsewhere due to the character restrictions.

In general, are there JavaScript properties, events, or browser features that can still interact with external resources or handle response data in heavily filtered environments like this?

I’m mainly trying to understand browser behavior and limitations in restricted contexts.

Thanks.

Hello people, does anyone else have any issue with verifying e-wallet access in YWH? I have trouble trying to get my bounty out but this MangoPay service is not giving the verification SMS code to my phone. I also tried changing my phone number but it keeps giving me this error. I reached out to support and haven't received a response since.

https://preview.redd.it/cxr45lw8nf2h1.png?width=987&format=png&auto=webp&s=d3d091d597a08ed9fcfed5da7295efc71c601982

https://preview.redd.it/fsi7ihggnf2h1.png?width=623&format=png&auto=webp&s=0b3906d956aa58e6b86fb31bbe475d42340b475b

https://preview.redd.it/by9k00qonf2h1.png?width=622&format=png&auto=webp&s=859d128619c97d53b2f82aa0ce2ca6e2eb4a7220

Hello... might be an odd question for this sub, but I'm poking around trying to get some feelers out there.

Is anyone currently employed by Bugcrowd who can answer some questions for me? I'm concerned there is an active employment scam (as there are so many!) using this company as a shell. I applied for a good looking role that fits my background, and the next day I was contacted by the recruiter.... via WhatsApp.

OOF. The domain looks like it might be legit, but is questionable enough that... here I am. Can anyone shed some light for me, please? I was super interested in the company and of course the job itself, but... le sigh.

https://preview.redd.it/hvtnvrbxga2h1.png?width=1168&format=png&auto=webp&s=45ab582f8298c0f80bfd39c8c7fcd1ea8bd7ae32

So i wrote this Attack chain with 4 parts, were part 2 is the crucial one in scope , triager wasn't able to reproduce part 2, so he did what ? he asked for more infos ? a detailed video POC other than the one i already provided? you bet he didn't! right from the very first comment, he said because he wasn't able to reproduce, now parts 1 and 3 of the attack chain are considered are out scope, and part 4, which is a a textbook Business Logic Flaw (CWE-841), said its working as intended 😂

Recorded another POC video showing were he got the reproduction wrong, but never got any answer. now i bet my findings will go unnoticed because of a triager who want to close as many reports as he can with least effort, if another researcher got lucky to have its report reviewed by a qualified triager, he will be the one awarded the bounty and my resubmission will be the duplicate, i see that coming with these so called Bug Bounty Lottery Programs. I'm fine with resubmissions because triagers are human beings who make mistakes, but when their mistakes causes a researcher's signal to drop, and so he can't even ask for mediation, that's just wrong!

Guess it's just how it is 😒, if you can't find complex vulnerabilities yourself, you can be on the other side reviewing them.

edit: unfortunately! i got the same triager handling my resubmission, he marked it as a duplicate for the one he marked n/a because he couldn't reproduce. and as always, "best regards" 🤡

https://preview.redd.it/h99rpu41ta2h1.png?width=1708&format=png&auto=webp&s=d68735892568b141734497f8de4457ca7b45b3d1

Password reset links look simple, but they can become a serious account takeover risk if the reset flow is not implemented carefully.

A common reset link contains a token in the URL. That token works like a temporary key to the user’s account. If it leaks before expiry, an attacker may be able to reset the password and take over the account.

One common mistake is assuming that HTTPS alone is enough. HTTPS protects data in transit, but it does not protect reset tokens from browser history, shared devices, server logs, proxy logs, SIEM platforms, third-party analytics, email forwarding, mobile app logs, or Referer header leakage.

From a security testing perspective, password reset flows should be checked for:

* Single-use token behavior

* Short token expiry

* Safe token storage using hashing

* Rate limiting on reset requests

* Token leakage in logs

* Referer header exposure

* Open redirect abuse

* Password reset poisoning

* Session invalidation after reset

* MFA or step-up verification for sensitive accounts

A strong token is not enough if the application leaks it.

In many real-world cases, the weakness is not token randomness. The weakness is the surrounding flow: logging, analytics scripts, redirects, missing rate limits, long expiry, or poor session handling.

Password reset should be treated as a critical authentication feature, not just a convenience feature. A weak recovery flow can silently become the easiest path to account takeover.

Curious to hear from developers and security testers here: what password reset mistakes have you commonly seen in real applications?

Can someone explain why that would be out of scope, specially if its a big crypto company, isnt that very dangerous for their own users?

How is this fair?

older finding is marked as withdrawn

and now my finding is marked as duplicate of that withdrawn finding ....

Found a bug that leaks full New Relic logs, including PII, API keys, and users' private conversations. Submitted 10/2025, they said that they have an internal ticket. Still working today, even on the prod env (it was on staging).

What should I do? Move on or try to reach users (who may not fully understand the situation)?

https://preview.redd.it/9556pfcow62h1.png?width=922&format=png&auto=webp&s=3245bf59f1971926407ef857d2fd82f3a6aa8543

Hi guys. Looking for some information here. I created an account about a week and have since been doing some bug bounties in my free time. I've submitted 6 total reports - 4 duplicates, 1 triaged + paid out with High severity, 1 new.

My current reputation has been increased to 32 (not including the 100 for account creation) but I am now being restricted as I do not have a calculated Signal. I have 2 reports ready to send in to a program but am not able to due to the requirement here. I've noticed this is on just about every program included on H1 and am struggling to figure out when my signal would be calculated. I have asked for the triaged report to be marked as resolved as the bug has been since been fixed but I am not sure if that will even allow for my Signal to populate.

Does anyone have advice here? Do I genuinely just have to wait 30 days to send in another report? How long does it take for signal to be calculated? It seem's pretty dumb to have to wait so long when my reports are not being marked N/A or slop.

Hey guys, wanted to share an interesting finding from a recent test and see how you would rate it. It got marked as P3, which honestly surprised me.

The bug is on a large platform for creating websites. An unauthenticated attacker can hit the registration endpoint and register live TLDs (.com, .net, etc.) completely for free.

The impact is pretty wild: You don't need any verification, no payment were made from you, so you can register thousands of domains completely anonymously with fake contact info. Great for malicious infrastructure or crime, with zero trace back to the attacker.

On top of that, there's an endpoint that lets you completely bypass the 60-day transfer lock. You can get the auth codes and move the domains to an external registrar instantly, so the company can't even recover them.

I registered 5 live domains, changed DNS, and unlocked them to prove it. Public WHOIS confirmed they were completely unlocked.

To me, letting attackers spin up unlimited anonymous criminal infrastructure while draining the company's real cash feels like beyond P3.

What do you think? Is P3 fair here?

Like the title says, in the month of april i made 8k BB hunting with AI, i barely know anything of hacking, but i'm good with the AI so, i buy my first car because of this at my 18 years old, i'm very very happy

https://preview.redd.it/0p644y3lz42h1.png?width=1511&format=png&auto=webp&s=9945ea253e104e59d5472e6ab6791c78cccd83fe

Hello Good People, Need some perspective from people who've been through this. Two months in and I'm losing my mind a little.

Background

I submitted a finding to a Bugcrowd program targeting a large European company. The vulnerability was a server-side misconfiguration on a public-facing endpoint that automatically injected privileged credentials into every outgoing request no authentication required from the attacker's side whatsoever.

How It Escalated

This is where I think I made a strategic mistake and want honest feedback.

My first submission focused purely on the read-only impact unauthenticated access to sensitive internal data including employee PII. The program initially assessed it as lower severity with a "no security impact" response, which I disagreed with.

So I went back, did a deeper impact analysis, and resubmitted with stronger evidence. This time it got triaged and validated by Bugcrowd staff. Good start. Made it unresolved with point rewards.

But then I kept digging to prove the real severity. Over the following weeks I progressively demonstrated:

• Full authentication bypass with zero credentials
• Access to hundreds of thousands of customer and employee records including names, emails, phone numbers and addresses
• Confirmed unauthenticated write access to production data
• Administrative privilege escalation created and then immediately deactivated a test admin account to prove the path
• Code execution capability on the backend infrastructure

The Problem

Because I kept adding impact evidence progressively inside the same report rather than splitting into separate submissions, everything got bundled into one P2 "IDOR - View Sensitive Information" rating even though the actual impact went far beyond viewing anything.

The vulnerability has since been patched confirmed by endpoint behavior going from wide open → 502 → deliberate 403. So they read it, validated it internally, fixed it.

And then complete silence.

• Customer responded once with "we'll look into it" — nothing since
• Multiple RaRs submitted, all expired without response
• points awarded, zero bounty decision, zero severity update
• Two months and counting

My Questions

1. Has anyone successfully gotten a severity upgrade from P2 to P1 after a customer goes silent post-patch?
2. For those who've had similar "silent fix" experiences did you ever get paid, or did you just write it up and move on?

The finding is real, the patch is real, the silence is real. Just trying to figure out if I keep pushing or accept the lesson and move on.

Appreciate any honest feedback including if you think I handled this badly.

I’m curious about the kinds of bugs that really surprised experienced hunters not just the usual XSS or IDOR cases, but the ones where you thought “there’s no way this should be possible”.

Maybe it was something simple that had massive impact, a weird chain of exploits, or even a security flaw in a place no one would think to check.

Have heard they tend to mark a lot of actual vulnerabilities as working as intended based on their rules, and their rules are kind of vague, so I wondering if anyone had any good experiences with their program, or if it’s one to stay away from?