Being a "Full-Time" Hunter does NOT Have to Mean 8+h of Bug Bounty per Day!

react2shell:11/29/25:lachlan2k:sy1vi3 sha256:18571097aedaec16f729c4227e1e508fe161d5d6b4256eec7d0525535ebb3fa0 cve.org/CVERecord?id=C…

Today we partnered with Meta to disclose a critical vulnerability in React Server Components, impacting Next.js. Huge credit to Lachlan Davidson for responsibly reporting this to Meta and to our industry partners for responding quickly to our call-to-action. This is how open

We want to thank the hackerone community for an incredible collaboration over the weekend. They discovered a total of 15 unique issues, leading to an expected payout of $750K. Our eng team has hardened the WAF as issues were discovered, and the last "flag capture" was 20 hours

Just got my first payout from Microsoft under the M365 Bounty Program 🥳 blog post scheduled for early Feb!

Nice catch!🥳

A screenshot of the exact point where you decided to lock in. 😎

Following December's "In Scope By Default" bounty expansion, we're excited to introduce additional recognition updates. This includes recognizing everyone with a valid submission publicly on our website and additional changes to align our leaderboards with impact. Pls see blog.

Thanks for the swag! Microsoft Security Response Center

Can you spot the problem? Just waiting on Google to push a fix for their one then I can share my blog post on this behaviour. Spoiler: Chromium are not addressing the underlying issue so Web applications need to implement mitigations!