You can find easy critical vulnerabilities. It just takes finding unique attack surfaces. Here's an example of how you can, using a story of how I hacked a car company:

In February, I submitted 6 vulnerabilities to 6 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

This XZ utils backdoor is nasty. This is a great write up -> gist.github.com/thesamesam/223… Here's an OSQuery query to help -> gist.github.com/jamesspi/ee831…

In March, I submitted 8 vulnerabilities to 6 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

Read how I used a custom scanner to discover a GitHub Actions vulnerability hiding in plain sight for 3 years in a Google OSS repository and earned a $7,500 💰 #bugbounty! adnanthekhan.com/2024/04/15/an-…

In April, I submitted 25 vulnerabilities to 9 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

20 New Vulnerabilities 'Pose A Threat To All Xiaomi Users,' Researchers Warn trib.al/PFx69Jy

Just wrote a ~2.5 page blog post on Client Side Path Traversal, covering what CSPT is, why it can be so impactful, some advanced exploitation and WAF bypass techniques, and a bug which I found in a live hacking event (redacted ofc) matanber.com/blog/cspt-leve…

In May, I submitted 58 vulnerabilities to 34 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

New blog! This time a high severity session takeover in Zoom worth $15,000. Read the story of how sudi , BrunoZero and I chained 2 completely useless XSS vulns to steal OAuth tokens, hijack browser permissions, and more: nokline.github.io/bugbounty/2024…

I've got some advice to young bug bounty hunters (like me). If u're making good money from bug bounty: - It's good to splurge sometimes and reward urself, but don't overdo it. If it took u 6 months to get 30k earnings, don't spend it all on a car, an extremely depreciating asset

🚨🚨DO NOT PANIC! I'm publishing my detailed analysis of CVE-2024-29855 which targets Veeam Recovery Orchestrator Authentication 🩸, this has a score of CVSS 9 🪲, but IMHO its not as severe, however, I like the technical details of it, so here we go 🔥 summoning.team/blog/veeam-rec…

A part of the 10k club on HackerOne #HackForGood #togetherwehitharder #bugbounty

In June, I submitted 71 vulnerabilities to 51 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

Our security researcher hashkitten found one of the most critical exploit chains in the history of Assetnote. Affecting 40k+ instances of ServiceNow, we could execute arbitrary code, access all data without authentication. You can read our blog here: assetnote.io/resources/rese…

In July, I submitted 18 vulnerabilities to 14 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

I just published $15k RCE Through Monitoring Debug Mode link.medium.com/r3X2uBcWoMb

In August, I submitted 17 vulnerabilities to 4 programs on HackerOne. #TogetherWeHitHarder hackerone.com/last-month

Bug Bounty Tips: Extract API Endpoints and Construct Complex HTTP Requests from JavaScript Files Using AI Stuck analyzing complex JS files while manually hunting on a target and can't figure out how to construct those GET/POST requests? 🤯 No fancy tools needed! 👉 Quick tip: