Bug Bounty

Forging signed commits on GitHub

I find reports like this one very satisfying. In short, in GitHub’s commit signing flow, there were two different components and one of them extracted the email of the author regardless of whether there was a username while the regex in another component only accepted...

CTTB – The OG Bug Bounty King – Frans Rosen

If you are not listening to the Critical Thinking Bug Bounty Podcast, you are missing out on tons of useful, intermediate to advanced bug bounty and web security tips. I do listen to every single episode. Recently, I played the one with Frans Rosen and, at times, it...

4 DOs and DON’Ts for writing quality reports

None of us manual hackers has an infinite number of bugs to report. Sometimes, we need a few hours to find a bug but at other times, we need days or weeks. So when we finally have it, it would be stupid to write a poor report and get a bounty lower than we deserve....

Bug Bounty on Steroids by @HusseiN98D

Hussein Daher had a great presentation on Bsides Ahmedabad titled “Bug Bounty on Steroids”. He shows a few writeups and discloses some cheeky tricks. You can check out the whole hour-long video on YouTube or you can continue reading my notes and takeaways. Account...

How to win arguments in bug bounty reports?

The biggest positive of bug bounty is that you can do it from anywhere in the world. You don't need a contract or anything. However, the other side of this coin is that you just have to trust the bug bounty program that they will do the right thing. Often, they...

Hackers are Shifting Left, Too – Spaceraccoonsec

Shift left is the trend where developers introduce security checks as early as possible in the development lifecycle. Along with some other factors, it makes the software more secure. However, every time you introduce any component to the pipeline, you also introduce...

Top-Tier Bug Bounty Hunter Mindset

Over the years, Yassine Aboukir has transformed from reporting lots of NAs and Informationals to discovering lots of cool, impactful bugs and even receiving a Most Valuable Hacker award at a Live Hacking Event. In his recent talk, he described how he changed his...

NahamSec videos and NahamCon2023

NahamSec has been very active on YouTube recently, producing a lot of interesting videos like: 2023 Web Hacking Roadmap // How To Bug Bounty Learn Cybersecurity and Hacking Through CTF! Cloud Hacking: The Basics How To Pick Your Targets // How To Bug Bounty Also, he...

The Ultimate CVSS Guide for bug bounty

CVSS is a uniform way to describe the severity of a bug. It has received a lot of criticism for its flaws over the years. However, we still use and we'll keep using it for now. Not because it's perfect but because we don’t have anything better. Incorrectly...