100 (very) short bug bounty rules:

We hack so others can't.

Hackers, an important one. e.g.: we heard that CVSS "PR" is handled inconsistently (should be PR:None for self-sign-up). We're transparently listing a set of Detailed Platform Standards for consistency across programs. Need your help -- what to cover next? docs.hackerone.com/organizations/…

Alhamdulillah this is my trick to avoid self-duplicate when finding bugs with the same impact but on different urls/endpoints #hackerone #bugbountytips

Alhamdulillah Another bypass reports on LinkedIn, very interesting looking for bugs here :) #hackerone #bugbountytips

Looking for bugs on LinkedIn in early November 2022, Alhamdulillah the achievements for one year: - Ranked 2nd all-time - 1209 Reputation - 50+ Paid reports If you want to hunt there, LinkedIn has a lot of issues on access control and logic errors :) #hackerone #bugbountytips

So hard to start...

Here are a couple alternative bug bounty goals you could consider setting this year instead of the typical "I wanna earn X".

I get asked a lot about avoiding burnout, which is an incredibly tough question to answer because I think a lot of other issues get attributed to burnout. It seems people think a lack of motivation to start something == burn out, which isn't always the case. For me, it's more

Question for Full-time hackers: What made you leave your job and decide to do full-time bb hunting? Do you regret it? Were you scared at first? #bugbounty

Had an absolutely stellar time at HackerOne 's #h1305 ! The Capital One team was a real joy to work with, and Miami felt like just the perfect location. As this was my 16th LHE, I was beginning to think I would never make MVH, but having a positive attitude, grit, and

Alhamdulillah, I was awarded a $4,500 bounty on HackerOne! Add any item to the basket->Intercept->checkout->in the parameter "address_id":"123" change it to the victim's address_id->look at the order->the victim's identity is disclosed #bugbountytips #TogetherWeHitHarder

New hackerone platform standards coming 2nd april: 1. IDORs with unpredicable IDs 2. Systemic Issues 3. Leaked credentials 4. Bypassing resolved reports Full info: docs.hackerone.com/en/articles/83…

Biidznillah, I was awarded a $5,000 bounty on HackerOne! a simple IDOR ❌ GET /api/v1/user/detail?type=1&user_id=123 ✅ GET /api/v1/user/detail?type=0&user_id=123 alwys try changing the value if u find parameters similar to that (type, role, scene, etc.) #bugbountytips

Hopefully HackerOne will soon reduce the VDPs program, for beginners VDP is very good but in reality many VDPs are used to boast points and this is very strange, they do that without being paid!

Biidznillah, I was awarded a $2,500 bounty on HackerOne 1. Type "amr" in the search feature 2. GET /user/api/search?keywords=amr&q=keywords 3. Change to 4. GET /user/api/[email protected]&q=email Sensitive information about the victim was disclosed #bugbountytips

Biidznillah, I was awarded a $500 bounty on HackerOne ❌ DELETE /api/v1/review/review_id:123 ✅ GET /api/v1/review/review_id:123 Disclose the victim's reviews, because the reviews are hidden I often get bugs by changing the request method #bugbountytips #hackerone #bughunter

Biidznillah, I was awarded a $500 bounty on HackerOne IDOR to delete other user files -> Delete /api/v1/files/file_id:123 ❌Response shows HTTP/2 500 Internal Server Error ✅ But the file was successfully deleted Always look at the impact not the response #bugbountytips

Alhamdulillah, I was awarded a $2000 bounty on HackerOne Privilege escalation: member tries to add user as owner ❌ 400 Bad Request ✅ Perform action “X” to bypass that For details about action “X”, read my first WU here: medium.com/p/7e837698fe4b #bugbountytips #hackerone