Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1rrupp2
@r_bugbounty

CSRF in the age of Server Actions

Hello folks,

I’ve always wanted to understand how CSRF attacks could be exploited in Next.js applications, since there’s a common myth that Next.js already protects against CSRF attacks by default.

So I spent a few weeks researching it and showed that this isn’t actually the case, along with a guide on how CSRF attacks can be exploited in Next.js applications.



It’s my first technical research article (it might be a bit niche, but it was fun to work on)

I hope it helps someone 😊

https://kapeka.dev/blog/csrf-in-the-age-of-server-actions

https://redd.it/1rruw4l
@r_bugbounty

HackerOne & Bybit Bug Bounty is Scam

HackerOne & Bybit Bug Bounty is Scam - data breach = informative

https://redd.it/1rrvmyx
@r_bugbounty

I'm tired of getting dupes

I don't do automated research or AI slop, i don't look where everyone is looking, i dont report PII or data leaks, i report critical issues in mainnet (I hack web3) and i'm tired of getting my reports dupe, for the moment i get 2 dupes of critical issues, they're like direct user fund theft without user interaction, or Permanent DoS, i'm very frustrated.
Do you get this amount of dupes? Do you think this is normal?
Is there a way to sell vulns of web3 like zerodayinitiative or do you know a site or group where they buys vulns, not exploits?

https://redd.it/1rrzbuh
@r_bugbounty

looking for a squad to crack the 1password $1M CTF

yo anyone tryna team up for the 1password million dollar ctf?
drop a comment or DM. let’s get this bread 💰

https://redd.it/1rs4efg
@r_bugbounty

Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1ry4e3s
@r_bugbounty

Weekly Collaboration / Mentorship Post

Looking to team up or find a mentor in bug bounty?

Recommendations:

Share a brief intro about yourself (e.g., your skills, experience in IT, cybersecurity, or bug bounty).
Specify what you're seeking (e.g., collaboration, mentorship, specific topics like web app security or network pentesting).
Mention your preferred frequency (e.g., weekly chats, one-off project) and skill level (e.g., beginner, intermediate, advanced).

Guidelines:

Be respectful.
Clearly state your goals to find the best match.
Engage actively - respond to comments or DMs to build connections.

Example Post:
"Hi, I'm Alex, a beginner in bug bounty with basic knowledge of web vulnerabilities (XSS, SQLi). I'm looking for a mentor to guide me on advanced techniques like privilege escalation. Hoping for bi-weekly calls or Discord chats. Also open to collaborating on CTF challenges!"

https://redd.it/1rvdhv0
@r_bugbounty

First bug(s)

After 6 months of hunting and not finding a single duplicate I didnt give up and results came. I got 2 bounties from snapchat one medium and one low and got triaged for another one. Go focus on your goals and results will eventually come.

https://redd.it/1ryc9qe
@r_bugbounty

MFA not requested on mobile application

I found a bug where if you set a MFA on your account, only the web application enforce it. But the mobile application doesn't enforce it you just log in. Is this a valid MFA bypass and what about the severity?

https://redd.it/1ryquud
@r_bugbounty

How to get invite into Private bountie programs. Best advices?

Would love some recommedation about

https://redd.it/1rydrqu
@r_bugbounty

New features added - Broken Object Level Authorization (BOLA) – OWASP API Security
https://manivarmacyber.github.io/blog/bola-owasp-api1/

https://redd.it/1ry3nlz
@r_bugbounty

Arbitrary file download!

There an endpoint vuln to csrf that download reports as xls files
Now i found a way to inject the content i want and null byte injection so i can make the extension i want ,
So i can make the victim via simple csrf
Download any file contents with any extension

Now i have 3 questions which i think hugely undermines this:

-1st: the impact is on the victim desktop not the web app , so is it still reportable ?

-2-they can argue that the malicous website hosting the csrf poc can make the user download the file straight without going an extra step so This:
malicous site => download malicous file
Instead of
Malicous site => vuln site=> download file

-3- ofc the victim has the open the file to run the code or script in it , cause i didnt find a way to make it run automatically, which undermines it ALOT
This is first vuln i find like this , so im abit confused about the situation

https://redd.it/1ry6mrz
@r_bugbounty

Help to get start in bug bounty

Hello,

​I’ve been researching how to start bug bounty hunting. I've watched many YouTube videos and read books, but I feel like it’s not enough. I saw a course on Udemy by Nahamsec for about $34.11—is it worth purchasing? Also, do you have any suggestions on where I can learn bug bounty hunting for free?

https://redd.it/1ryvk3c
@r_bugbounty

A story about how cache poisoning led to a MITM

https://blog.xss.am/2026/03/how-we-mitmd-a-crypto-exchange-platform/

https://redd.it/1rxtydl
@r_bugbounty

Looking for Triager or Senior bug hunter for question's

Im looking to ask serious question about both sides of the fence because im sick and tired of submitting serious reports i've poured days or weeks into, and either getting shut down on or being marked NA when their clearly in scope of a program and then they get silently patched within a week

https://redd.it/1rycjmb
@r_bugbounty

Just an update to a previous post about bugcrowd

So when i asked bugcrowd to supply me with "victim" account for the program i was doing work for vs me supplying victim and attacker account " because i would have to load funds i dont have " onto the victim account they closed the report saying i failed to provide enough information. is that not a straight forward request, shouldnt be up to the researchers to pay for shit when 90% of the time they fuck us and we dont get paid

https://redd.it/1rybiwm
@r_bugbounty

Bugcrowd rant

So yestetday they closed my P1 because i didnt provide the Tx hash, told me to reopen it when i could provide the hash, So i opened a new ticket as they said and they closed it as NA when it shows the proof with the testnet they requested

Thank you for your submission. After reviewing your report with the team, we are closing this as Not Applicable. The behavior you described is the intended functionality of the API, and the threat model relies on a misunderstanding of where the security boundary lies in this interaction.

The get_token_swap_quote endpoint operates purely as a stateless utility. It calculates the necessary routing and outputs the required calldata to perform a specific swap. Generating this calldata does not execute a transaction, nor does it move any funds.

To exploit this, an attacker would have to deliver this generated payload to a victim and socially engineer them into signing it via their wallet. Because the security boundary relies entirely on the user's private key signature, the API does not require a JWT to calculate the payload. Furthermore, a malicious actor does not need this API to execute this attack; they could construct the exact same malicious execute() calldata locally using standard Web3 libraries (like ethers.js).

We value your expertise and look forward to reviewing your future findings. Good luck!

Best regards,
\- Tal_Bugcrowd

https://redd.it/1rz79wq
@r_bugbounty

to the gent that shared xpfarm

You are amazing, ive upgraded its arsenal to 70+ tools, and its doing seriously good work

https://redd.it/1rzfg51
@r_bugbounty

Is bug bounty really worth it ?



Hey everyone,

So basically i was a bug bounty hunter for about 5 months and i got informationals and some medium severity duplicates across different programs, now im starting once again after a long break so im willing to ask you guys some questions regarding the field and how you feel about it:

1- First of all, how much do you guys get approximatively paid monthly by doing bug bounty/how much experience you have and do you think its proportional to the work you're putting in ? ( it really helps knowing this so i can know what to realistically expect from such a competitive field and how people think about it)

2- is 2025 OWASP top 10 or in general really useful if im willing to focus on it instead of re-learning old attacks and techniques i knew before ?

3- How much valid bugs can someone realistically get after a whole year of research, CTFs and coding knowledge ( and is 1 year too much to start hunting )

4- Do you guys feel like bug bounty will be much harder in the next years and only reserved to elite groups ( private programs for example )

So yeah I tried to summarize as much as i could so it wont be really long to read. Happy hunting everyone !

https://redd.it/1rzwt0c
@r_bugbounty

Exploiting broken access control vulnerabilities
https://redd.it/1rzyzev
@r_bugbounty