Member-only story
Critical Bug Bounty Reports: Part 1
Short Write-Ups On P1/Critical Bugs I’ve Submitted to Bounty Programs
This month marks 2 years of formal Bug Bounty hunting for me, with my first report submitted to a program on Bugcrowd on July 27, 2019. That report was marked Not Applicable and to this day I’m genuinely bewildered the company hasn’t fixed it. I followed that up with a report marked P4 / Informational for a subdomain with an exposed web.config file. Exciting stuff (not really). My first 10 reports had an average severity rating of 3.7 with 1 N/A, 5 Informational, and the remaining 4 accepted.
Today, I’ve made it into the top 200 in Bugcrowd’s all time ranking with 134 accepted vulnerabilities including 20 P1’s. Looking back on my first reports I’m amazed at how much I’ve grown both in finding hard hitting vulnerabilities AND writing compelling reports to drive home the impact (or why the company should care). In my still relatively short experience, I’ve found impact drives severity as much as or sometimes more than the class of vulnerability. With that in mind, I decided to share high level write-ups of all of the Critical severity bugs I’ve submitted to Bug Bounty programs over the last two years with the goal of helping you take your hunt to the next level.
