Vulnerability Disclosure: Local Privilege Escalation in Antigravity - Google rejected the report as "Intended Behavior"

https://redd.it/1qpfyvb
@r_bugbounty

Is the "Automation Obsession" actually a trap for new hunters?

I’ve been doing this for 6 months and just had my best month yet: 2 Criticals, 3 Mediums, and 5 Informatives (hardcoded keys, ghosting).

I used zero automated scanners. No Subfinder, no Katana, no Nuclei. My entire stack was just Caido, VS Code(for notes), and Claude for some logic assistance.

I genuinely don’t understand the hype around installing 50 different Go tools to spray-and-pray. If a tool can find a vulnerability with one click, isn't it basically a race to the bottom? You’re just competing with ten thousand script kiddies for the same "Duplicate" or "N/A" report.

It feels like people spend more time configuring their VPS than actually looking at how an application functions.


My questions for the vets:

* Am I missing out on a specific "tier" of bugs by ignoring automation, or is it mostly just fluff?
* Do you actually find unique, high-impact bugs with scanners, or are they just for low-hanging fruit like open redirects and outdated JS libraries?
* Is it better to stay "pure manual" to build a deeper intuition for business logic flaws?

https://redd.it/1qpcw79
@r_bugbounty

Recently my finding has been accepted by NASA VDP (handle: 0xdk27)
https://redd.it/1qr7z6c
@r_bugbounty

Launched a web security scanning tool — looking for honest feedback from bug bounty hunters

Hi everyone,



I recently launched a small platform for **safe, non-destructive web security scanning**.



I’m mainly looking for honest feedback from people

who test **their own or authorized assets**.



The focus is intentionally limited:

– headers & configuration issues

– reflection indicators

– error-based signals (no exploits, no aggressive fuzzing)



I’m not trying to sell anything here — I’m trying to understand:

– what feels useful

– what feels unnecessary

– what would stop you from using a paid tool like this



If anyone is curious, I can share a link and provide **free access for feedback**.



Appreciate any thoughts 🙏

https://redd.it/1qr8qiv
@r_bugbounty

Feeling stuck between labs and real-world testing in web security

I have been building and deploying web apps for almost 2 years and recently I shifted my focus to web security. I took TCM academy’s practical bug bounty course where I learned the basics such as IDOR, XSS, authentication and authorization issues, and some logic abuse. I also found many vulnerabilities in OWASP Juice Shop and completed around 10 labs so far.

Recently, I tested one of my own apps and discovered a missing input validation on the server and no rate limiting. Essentially, anyone could create unlimited entries in the database.

Right now, I feel stuck. Beginner material is starting to seem too basic, also expert portswigger labs seem impossible but when I try real-world programs, I mostly face access and scope issues, which makes me feel unproductive. I don't expect to find major bugs, but I'm not sure if I'm spending my time wisely to actually develop real-world judgment. I am currently focusing on Idors and xss.

For those who have gone through this phase, I will like to know what helped you. Did you continue doing labs for a while longer or did you tested with real applications until things started to make sense? I am not pursuing bounties right now I just want to learn properly and build strong fundamentals.

Any insights from people who’ve been through this would be appreciated.

https://redd.it/1qpgvyx
@r_bugbounty

Reverse engineering Lyft bikes for fun (and bounty?)
https://ilanbigio.com/blog/lyft-bikes.html

https://redd.it/1qrcbya
@r_bugbounty

Is it standard practice to ask vendors to issue CVEs?

I recently found a vulnerability which I submitted through Github GHSA. The vendor's acknowledged and patched it but didn't issue a CVE. The GHSA is also still set to private. Should I ask them to see if they are alright with doing so or should I go ahead and file the form on MITRE? Just so there's some way for me to get credit.

https://redd.it/1qrn17u
@r_bugbounty

help me with commix web shell

So I'm doing a bounty, and I'm just playing around with some tools and I have got a "commix web shell", but I don't know if I can report how to turn it into something. I can, I know it 100%, a scriptkitty question

https://redd.it/1qrleef
@r_bugbounty

Meta bug bounty
https://redd.it/1qruinj
@r_bugbounty

why do a lot of hunters skip the fundamentals for web security?

I'd say a huge portion of bug hunters fail to find their first bug, or even bigger portion fail to make money out of bug hunting while some other people literally gain what you can earn working at Macdonald's for 1 year in 2 - 3 reports that gets paid shortly after..

I'm not a PRO hunter yet🤓. but at least i know that without the correct fundamentals (that takes time to learn) you won't probably make a lot of money and feel overwhelmed pretty fast and think like this whole thing is not for you

beginner hunters, just learn web development first and gain some development experience
you're not required to do it like a developer but at least the core knowledge should be in your head, html, css, javascript, any language to handle the back end and start with SQL and no SQL. and just do some apps, hack what you created and go for real world

why is that required? say you have an injection point where you tested most common xss payloads and the app filters your input, you'll automatically start to visualize the code that is dealing with your input, what the dev might have missed, what edge cases that might be forgotten? what quirks the language the website uses has, and you start testing these and suddenly you find an xss, where you find out that this injection point is pretty vulnerable, you won't gain that knowledge without web development experience unfortunately.. the PRO hunters are popping bugs on main domains which seems pretty solid for people with not web development experience or running scanners 24/7. but in their hands they're still vulnerable to shitload of things,
so just take a step back and take care of the fundamentals and notice how you level up pretty fast

https://redd.it/1qscdhf
@r_bugbounty

New Tool: AttackMapper - Attack Path Mapping

Hey folks — A tool I’ve been working on to map attack paths in red team engagements and visualize them with MITRE ATT&CK context.

Appreciate all feedback — especially on feature gaps, smarter attack graph logic, and ways to make this useful in actual engagements

https://github.com/BaymaxPop23/attackmapper

https://redd.it/1qsp36w
@r_bugbounty

Realistic earning from bug bounty

If I study and learn for 8 months and then hunt for 16 months totalling 2 years 5-6hrs a day. That means after 8 months of pure learning, I will have 1 and half year of hunting experience. Is it possible to get $1000 month after these 2 years?

https://redd.it/1qsa19b
@r_bugbounty

meta bug bounty no response
https://redd.it/1qsai88
@r_bugbounty

This is my very first bug hunt. I need advice on a finding.

Hey guys, I need your opinion on something I'm working on right now. I found a solid Stored CSV Injection.

The scenario in short: I managed to bypass the sanitization in the "Company" field within the Customer Address. The application filters standard characters but fails to catch the @ symbol if I use string splitting. As a result, I can inject Excel Formulas (like @HYPERLINK). When the Admin exports the Orders and opens the CSV file, the payload executes, allowing for Data Exfiltration of the spreadsheet's contents or redirection to an external site.

I am currently torn between 3 decisions and need your advice:

1. Submit the report as is? (Is this impact sufficient/satisfying for them?)
2. Aim higher for a Critical? Should I try to hunt for a Race Condition in the coupon/discount system?
3. Pivot to a Logic Flaw? Should I check the Returns/Refunds flow for financial theft vectors?

Do you think the CSV Injection is enough for a good bounty, or should I try to escalate the impact and pursue the other options? If anyone has other opinions, please let me know!

https://redd.it/1qs9w6z
@r_bugbounty

Do you take notes while recon or understanding a target?

I heard many bug bounty hunters take notes while they try to understand a target or service. I want to know what kind of things you usually note down.

If possible, can you share a very small sample of your notes. A fake or dummy example is totally fine. I am trying to improve my workflow and learn better note taking habits.

https://redd.it/1qs1ot7
@r_bugbounty

Exposed ASP.NET Route Debugger in Prod - NA'd as "No Security Concern" - How to Escalate or Has Anyone Gotten Payout on Similar?

Hey r/bugbounty,

I recently submitted a find on a BBprogram: an exposed Haack Route Debugger on a production subdomain (ASP.NET app on Azure). It leaks the full routing table, regex constraints, and stack details (IIS 10.0 + ASP.NET 4.0).

To show impact, I demo'd WAF evasion using the leaked routes: standard traversal gets 400 (Azure WAF block), but crafted payload reach backend with 404. Felt like solid P3 chaining (info disc → WAF bypass → potential IDOR/SSRF on image engine).

Triage marked it as duplicate, and the original was NA'd: "no security concern with the current provided proof of information." No points/payout.

Questions for the community:
- How would you escalate this? More PoC (e.g., actual SSRF fetch or file read)? Appeal with OWASP refs or VRT arguments?
- Has anyone gotten payout on similar finds (exposed debug tools, route leaks, or WAF evasion chains without full exploit)? What made it valid vs NA?
- Tips for programs that downplay misconfigs without direct data leak?



https://redd.it/1qswjo4
@r_bugbounty

I feel that I am stuck.

I recently started bug bounty. Its been 2 months ,6 hours daily and I feel that I have made no progress. I have submitted 10 bugs (2 duplicate, 6 non-applicable, 2 points awarded). I am a recent high school graduate and I want to pursue my career in cybersecurity,and I thought that with bug bounty I could get both experience and some pocket money. But both the things didn't happen.I started by reading some books and dove straight into real world hunting, done about 5 labs because they are boring and expensive. I don't know if my methods are wrong or I am missing something. I first study the target briefly and note down its scopes. If it has wildcard, find its subdomains and test in those which have interesting names. I mainly look for reflected values and flawed business logic.If I find anything that reflects the value, in a html or js script then try all sorts of payloads including sandbox escape,XXS and also look at some old js files that have already proved vulnerabilities using retire js BUT nothing seems to work. my back hurts,eyes burns and my mind is fried.

I don't know what to do next. Should I continue or do something else first. It's frustrating really,working 6-7 hours continuous on a target and turns out it was a false positive . Study a target for days ,find something noteworthy and finally click submit , but turns out it is non-applicable or duplicate. I don't know if it is just me who is dumb or what?

So,I really want to ask this:How long did it take it to find your first bug bounty that actually paid and what was the way you found it.

https://redd.it/1qs5myp
@r_bugbounty

Is this a payable bug?

I found an idor which exposes the bookmarks of any user by knowing their user id. Also we can add or remove their bookmark without the user's knowledge. And this is a newspaper like subscription based site. I am confused if this will be paid or not because I previously got an n/a in a similar bug which exposes the user's private favourite list in an e-commerce site. Even the userId id unguessable it is still an idor I guess. Am I getting paid for this? I just submitted the report.

https://redd.it/1qrsa96
@r_bugbounty

Easy to find but hard to exploit IDOR

Background:

While hunting on a public target, I came across a loyalty program. After joining the loyalty program, I got an ID. At first, the ID looked long and random to me, and I didn’t know what it was used for, so I continued testing. After a while, I noticed there was a feature in the program that lets you invite others to collect points together and benefit from it all.

So I created another account and invited myself. After intercepting the response for the invite request, the backend returned the full name and email of the invited member. To invite a member, you need two pieces of information:
1- First name
2- The ID

The first name was not a problem, as the website is common in our region and I could just guess common names. However, the ID was an issue, as it was not guessable.

The ID?

The ID looked something like 1769956104, which is long, as you can see. However, when I looked at my account IDs, they were very similar, which drove me to think there is no way these are random. To confirm this, I created two accounts within a period of two minutes and joined them to the loyalty program. The new IDs were something like 1769956104 and 1769956106. That confirmed to me that this was absolutely not random.

I decided to make a bunch of accounts and give their IDs to GPT, and it said this is actually a UNIX timestamp and not random numbers. For context, UNIX timestamps should increase every second, but my two accounts were off by 2 numbers and not 120 seconds (2 minutes difference), which told me that the IDs are increasing by 1 per minute not per second.

Exploitation:

To show impact, I needed to leak some random data. However, doing this manually was not feasible, which forced me to write a Python script to enumerate valid IDs. The issue with this was that the frontend was encrypting the body somehow for an integrity check, and if you try to change the ID or the first name, the backend would return 400 (Bad Request).

So now I needed to figure out how this encryption thing actually works. The issue was that the JS files were huge and heavily obfuscated. I was not very good at JS analysis, but thankfully I found some good resources about JS analysis and debugging.

JS analysis:

That part took me the most time, as I didn’t have the experience. After several hours, I found a function that is called encryptWithAES256. So I decided to put a breakpoint into that function and observe how the encryption works. After a while, I was able to figure out how the key was calculated and how the function was called. I also figured out that this was AES-128 and not AES-256, as the name suggested (that was painful).

Trying out my Python script:

I launched the Python script using common names and starting with my ID, decrementing it sequentially. Here, I hit a wall: a rate limit. I couldn’t extract any data because of this. So I had to bypass it or at least delay it somehow to prove the concept.

I tried using a sleep function to add some delay, but it did not work. Then, somehow, I thought that the rate limit might be based on the TLS session, so I decided to renew my session every two requests. After that, I ran the script, and within one minute, I started getting data.

Results?

I reported this to the program but it ended up as a duplicate, as the title said: easy to discover, but hard to exploit.

https://redd.it/1qt0jq0
@r_bugbounty

What is this bug supposed to be ?
https://redd.it/1qt3881
@r_bugbounty