I only got "duplicate"

Hello friends,

The last 5 bugs (P3) I found appeared to be duplicate. And for the last two time difference was only about 1 day. It was both on hacker1 and ysw. Is bug bounty scene is that overcrowded? Is it normal?

https://redd.it/1rrltc4
@r_bugbounty

Is Low-User to NT AUTHORITY\NETWORK SERVICE a valid PrivEsc?

Hi everyone,

I’ve found a way to escalate from a low-privilege user to NT AUTHORITY\NETWORK SERVICE via a service vulnerability.

Since NETWORK SERVICE is still a restricted account, I’m wondering:

1. Is this transition generally considered a valid Privilege Escalation (LPE)?
2. Should I report this to the vendor as-is, or is it likely to be marked as "Informational" unless I can chain it to reach SYSTEM?

I’d appreciate any insights from those who have submitted similar reports. Thanks!

https://redd.it/1rrdw8e
@r_bugbounty

Program triaging Critical ATO as duplicate of 2-year-old unresolved Medium — what are my options?

I reported a mass ATO vulnerability on a gambling platform — no user interaction required, no race condition, no 2FA enforced, with easy username/email enumeration, 100% reproducible with full PoC. Trivial to exploit at scale.

The program triager picked it up and closed it as duplicate (let's say ID 123) of a Medium that has been sitting in Triage for 2 years with the title "redacted" , which is suspicious on its own. A gambling platform where users hold real funds leaving a trivial ATO unresolved for 2 years is already hard to justify.

I asked for transparency on what the original report actually is — ghosted. Requested mediation — ghosted.

Opened a new report with stronger impact demonstrated. This time an H1 triager picked it up, verified the vulnerability, and escalated it to the program — meaning they found no duplicate. Then a day later it gets closed as duplicate of nothing and he only mentioned the ID 123 in his comment, the panel shows no metadata, no severity, no status, no ID, nothing. Like the triager doesn't even have access to the original report to verify if it's actually true.

At this point I've exhausted every official channel — mediation ignored, program unresponsive, zero transparency on what the original report even is.

I know giving up is easier option, but I have to deal with similar cases on all my reports... Having in mind it was reported on active campaign and such bounties starts from around $40K. hard to pretend I'm blind.

What are my actual options here? Is there precedent for escalating this kind of situation?

https://redd.it/1rrn94h
@r_bugbounty

Active subdomain with no DKIM + DMARC p=none. Is it worth deeper testing or move on?

Wassup guys,

I came across an active marketing subdomain (used with HubSpot) that looks weak from an email authentication standpoint:

1.No DKIM records on the subdomain (NXDOMAIN)
2.No SPF record on the subdomain itself Root domain SPF includes HubSpot
3.DMARC exists at root but is set to p=none (so no enforcement)
4.Subdomain inherits that policy

So effectively, it’s relying only on SPF via the root and has no DKIM + no DMARC enforcement.

I haven’t demonstrated clean inbox spoof delivery yet and this is just based on DNS analysis so far.
From a bug bounty ROI perspective, what would you do?

A) Spin up a VPS and properly test real-world deliverability to try for Medium.

B) Report the DNS misconfiguration as informational / possible Low and move on ( The program is generous)

C) Skip it entirely and focus on something more deterministic

Trying to avoid sinking time into something that’s likely a dead end.

Would appreciate practical advice from people who’ve had similar findings triaged recently.



https://redd.it/1rrcgnw
@r_bugbounty

How to show s3 bucket takeover poc without aws account

Requested to a bucket url, but the response is: No such bucket. The Specified bucket does not exist.
I think that would be s3 bucket takeover possible.
But the problem is i have no Credit card and i have no aws account to create the bucket. Could you please suggest another ways to show POC?

https://redd.it/1rqz6x4
@r_bugbounty

Strange behavior in email change flow – Is this reportable?

Hi everyone, I came across a behavior that made me wonder if it should be considered a valid security issue. I wanted to get your opinion before thinking about submitting a report.

What happened:

I created an account with Email A.

I requested to change the email to Email B.

The system sent an OTP to confirm the change, but I did not enter the code.

I restarted the email change process to Email B again.

A new OTP was sent.

I tried using the old OTP instead of the newaccepted it, completing the email change.

Why this seems problematic:

My question: is this considered a valid security issue and reportable? Or is this expected behavior in the system’s flow?

https://redd.it/1rr48wt
@r_bugbounty

Password reset token exposed — would this be considered informative?

Password reset token exposed — would this be considered informative?

Hey everyone,

During my testing, I noticed something that left me unsure about the real impact:

I requested a password reset, and when opening the link, I noticed that the reset token was being sent to third parties (via external requests).

However, to actually change the password, you must correctly answer the secret question set during account registration.

Additionally, the link expires in 20 minutes.

Given this, I’m not sure if this would be considered only an informational risk or if it could get any credit in a bug bounty program.

I’d love to hear your thoughts!Password reset token exposed — would this be considered informative?

the password, you must correctly answer the secret question set during account registration.

Additionally, the link expires in 20 minutes.

Given this, I’m not sure if this would be considered only an informational risk or if it could get any credit in a bug bounty program.

I’d love to hear your thoughts!

https://redd.it/1rrtkm7
@r_bugbounty

Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1rrupp2
@r_bugbounty

CSRF in the age of Server Actions

Hello folks,

I’ve always wanted to understand how CSRF attacks could be exploited in Next.js applications, since there’s a common myth that Next.js already protects against CSRF attacks by default.

So I spent a few weeks researching it and showed that this isn’t actually the case, along with a guide on how CSRF attacks can be exploited in Next.js applications.



It’s my first technical research article (it might be a bit niche, but it was fun to work on)

I hope it helps someone 😊

https://kapeka.dev/blog/csrf-in-the-age-of-server-actions

https://redd.it/1rruw4l
@r_bugbounty

HackerOne & Bybit Bug Bounty is Scam

HackerOne & Bybit Bug Bounty is Scam - data breach = informative

https://redd.it/1rrvmyx
@r_bugbounty

I'm tired of getting dupes

I don't do automated research or AI slop, i don't look where everyone is looking, i dont report PII or data leaks, i report critical issues in mainnet (I hack web3) and i'm tired of getting my reports dupe, for the moment i get 2 dupes of critical issues, they're like direct user fund theft without user interaction, or Permanent DoS, i'm very frustrated.
Do you get this amount of dupes? Do you think this is normal?
Is there a way to sell vulns of web3 like zerodayinitiative or do you know a site or group where they buys vulns, not exploits?

https://redd.it/1rrzbuh
@r_bugbounty

looking for a squad to crack the 1password $1M CTF

yo anyone tryna team up for the 1password million dollar ctf?
drop a comment or DM. let’s get this bread 💰

https://redd.it/1rs4efg
@r_bugbounty

Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

Be respectful and open to feedback.
Ask clear, specific questions to receive the best advice.
Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

https://redd.it/1ry4e3s
@r_bugbounty

Weekly Collaboration / Mentorship Post

Looking to team up or find a mentor in bug bounty?

Recommendations:

Share a brief intro about yourself (e.g., your skills, experience in IT, cybersecurity, or bug bounty).
Specify what you're seeking (e.g., collaboration, mentorship, specific topics like web app security or network pentesting).
Mention your preferred frequency (e.g., weekly chats, one-off project) and skill level (e.g., beginner, intermediate, advanced).

Guidelines:

Be respectful.
Clearly state your goals to find the best match.
Engage actively - respond to comments or DMs to build connections.

Example Post:
"Hi, I'm Alex, a beginner in bug bounty with basic knowledge of web vulnerabilities (XSS, SQLi). I'm looking for a mentor to guide me on advanced techniques like privilege escalation. Hoping for bi-weekly calls or Discord chats. Also open to collaborating on CTF challenges!"

https://redd.it/1rvdhv0
@r_bugbounty

First bug(s)

After 6 months of hunting and not finding a single duplicate I didnt give up and results came. I got 2 bounties from snapchat one medium and one low and got triaged for another one. Go focus on your goals and results will eventually come.

https://redd.it/1ryc9qe
@r_bugbounty

MFA not requested on mobile application

I found a bug where if you set a MFA on your account, only the web application enforce it. But the mobile application doesn't enforce it you just log in. Is this a valid MFA bypass and what about the severity?

https://redd.it/1ryquud
@r_bugbounty

How to get invite into Private bountie programs. Best advices?

Would love some recommedation about

https://redd.it/1rydrqu
@r_bugbounty

New features added - Broken Object Level Authorization (BOLA) – OWASP API Security
https://manivarmacyber.github.io/blog/bola-owasp-api1/

https://redd.it/1ry3nlz
@r_bugbounty

Arbitrary file download!

There an endpoint vuln to csrf that download reports as xls files
Now i found a way to inject the content i want and null byte injection so i can make the extension i want ,
So i can make the victim via simple csrf
Download any file contents with any extension

Now i have 3 questions which i think hugely undermines this:

-1st: the impact is on the victim desktop not the web app , so is it still reportable ?

-2-they can argue that the malicous website hosting the csrf poc can make the user download the file straight without going an extra step so This:
malicous site => download malicous file
Instead of
Malicous site => vuln site=> download file

-3- ofc the victim has the open the file to run the code or script in it , cause i didnt find a way to make it run automatically, which undermines it ALOT
This is first vuln i find like this , so im abit confused about the situation

https://redd.it/1ry6mrz
@r_bugbounty

Help to get start in bug bounty

Hello,

​I’ve been researching how to start bug bounty hunting. I've watched many YouTube videos and read books, but I feel like it’s not enough. I saw a course on Udemy by Nahamsec for about $34.11—is it worth purchasing? Also, do you have any suggestions on where I can learn bug bounty hunting for free?

https://redd.it/1ryvk3c
@r_bugbounty

A story about how cache poisoning led to a MITM

https://blog.xss.am/2026/03/how-we-mitmd-a-crypto-exchange-platform/

https://redd.it/1rxtydl
@r_bugbounty