I'm honestly still in disbelief... grateful to receive a $100k bounty from @meta. Feels surreal. Sharing this to show that with time and dedication, it's possible. This was my first and only submission to Facebook - something I've been chasing for a decade! 🙏 Big thank you to

Yay, I was awarded a $2,500 bounty on HackerOne! hackerone.com/marciosz_ #TogetherWeHitHarder

ontem no cartório aconteceu o seguinte diálogo - vc trabalha com o que? - cybersegurança - cyber o que? - segurança - certeza que isso existe né? não vai poder mudar depois

Yay, I was awarded a $750 bounty on HackerOne! hackerone.com/marciosz_ #TogetherWeHitHarder

Yay, I was awarded a $1,750 bounty on HackerOne! hackerone.com/marciosz_ #TogetherWeHitHarder

Yay, I was awarded a $750 bounty on HackerOne! hackerone.com/marciosz_ #TogetherWeHitHarder

Yay, I was awarded a $500 bounty on HackerOne! hackerone.com/marciosz_ #TogetherWeHitHarder Tip: Subscribe to lots of programs to get notified when new assets are added. They tend to offer low-hanging fruit plus lower dupe risk

Yay, I was awarded a $2,500 bounty on HackerOne! hackerone.com/m4rc10sz Look for dynamically generated JS embedding sensitive user info in global scope. If session cookies go cross-site, you can load it via <script src> and exfil data - SOP doesn't apply to script inclusion

Yay, I was awarded a $500 bounty on HackerOne! hackerone.com/m4rc10sz #TogetherWeHitHarder

Yay, I was awarded a $2,500 bounty on HackerOne! hackerone.com/m4rc10sz #TogetherWeHitHarder

I usually skip responsible disclosure after past bad experiences, but it’s nice to see some companies still recognize and appreciate the value of security research, even without a BBP. Didn’t expect a reward, but this one proved mindset matters more than company size

Yay, I was awarded a $1,263 bounty on HackerOne! hackerone.com/m4rc10sz #TogetherWeHitHarder