5 Tips Bug Bounty Programs *Want* You to Know About | by d0nut


This is the only good CC0 image I could find

Demonstrate impact; if you can’t do (any) such thing, then reconsider submitting — europa

There are many so-called “vulnerabilities” that people shouldn’t report, such as logout CSRF, cookie missing secure flag, and content spoofing. A lot of the time, the aforementioned vulnerabilities are not found in a dangerous context; they don’t pose any considerable risk on the users or the website. However, such minor issues can be chained together to create an impactful vulnerability, like with the chaining of logout CSRF, cookie missing secure flag “vulnerability”, and self-XSS; a similar chain was used by Jack Whitton on Uber. Also, who would be friends with a donut? — karimpwnz

Some of my bugs (e.g. OAuth) requires calculate signature and a also a bunch of complicated settings before you can even verify if it’s an issue. Most of my reports are one click no brainier or a script that you can easily execute. — FileDescriptor

tl;dr: PoC||GTFO — europa





Source link