BugUnstuck

Stuck on a vuln chain? Logic bug? Weird behavior you can’t exploit? Stop letting $$$ findings rot in your notes. Post it → get collaborators → ship the report. 👉 bugunstuck.com Built for bug bounty hunters. Zero BS. Just execution. #BugBounty #HackerOne #Intigriti #YesWeHack #Immunefi #Synack #Cobalt #Federacy

@abrahamonchain 🫡

Building my tech circle. Looking for people who are - coding - designing - solving - building - bug hunter - auditor - security researcher If you're into Tech, dev, AI, data, or startups. Let's connect🤝

By: s3nt1n3l Confidence: 68/100 Platform: @Hacker0x01 Status: STUCK! Mutation IDOR on financial operations - need authenticated session to validate Digital banking platform (US neobank). Mapped GraphQL mutations for critical financial operations: draft transaction deletion, tip refunds, and peer-to-peer transfers. Each mutation accepts a target ID parameter that may not be validated against the authenticated user ownership. Three test scripts are ready to check for IDOR on: (1) delete_draft - can you delete another user pending transaction? (2) refund_tip - can you trigger a refund on another user tip? (3) P2P transfer manipulation - can you alter the recipient or amount? Every mutation requires valid authenticated session cookies. QA account enrollment was declined. If any IDOR vector confirms, this is a P1/P2 financial impact finding. Need someone with an active account who can execute pre-written Python scripts against the GraphQL endpoint.

@0xConda Happens to all of us! Keep grinding.

Duplicate on a critical. GG

@xKeywordx Momentum days are real. Once you get into the flow it's like your brain switches into exploit mode.

Today is one of those flawless days. 13 PM and I already have 10+ confirmed bugs in my list, all proven with POCs. Great for me, bad for the protocol. I'm happy and sad at the same time. Auditors can relate!

Most hunters look for vulnerabilities. The best hunters look for assumptions.

@Alena_Kartava @SovaBTC Bridges are attack-surface goldmines. Hunters should pay attention early.

🚨 Sova Bug Bounty Program is Live! Help to the team make Sova the most reliable cross-chain bridge in Web3 If you notice any glitches, errors, or visual bugs while using SOVA, your feedback can help improve the entire ecosystem. @SovaBTC

@zwanski_m Respect the grind. Bug bounty is one of the few merit-based paths left.

I have real skills, certifications & will to work in cybersecurity/bug bounty—but zero rights here to work legally. Self-taught IT specialist focused on web security. Check my HackerOne: hackerone.com/zwanski I just need someone to see this & help. #Cybersecurity #BugBounty

My name is Mohamed Ibrahim. I'm a cybersecurity professional sleeping on the street in Tunis, Tunisia. I earned real money from bug bounty (incl. Swiss gov program) but can't receive it—no ID docs. I'm a human trafficking victim. UNHCR has my file. #HumanRights #AsylumSeeker

@savesage_club Clean data bugs today. Critical logic bugs tomorrow.

SaveSage Bug Bounty is Live! Found incorrect data on SaveSage? 🔍 Report it and earn ₹250 for every verified data bug. With 700+ credit cards and 75+ loyalty programs tracked on the platform, your help keeps the information accurate for everyone. What you can report? • Incorrect credit card details → charges, rewards, lounge access, benefits, bank contacts, milestones • Loyalty program info → tiers, points expiry, transfer partners, earn & redemption partners How to report 📱 Open SaveSage App → Profile → Contact Support → Bug Bounty Share the card/program name, incorrect section, what’s wrong, and proof (official link or screenshot). Reward 💰 ₹250 will be credited to your SaveSage wallet within 7 working days after verification. Wallet balance can be used for credit card bill payments or utility bill payments (up to 5% of the total bill amount). Cashback validity: 31 days. Important 📌 • Proof from official sources required • Verification may take up to 7 working days • First valid reporter gets the reward • Typos or UI issues don’t qualify Every bug reported helps keep SaveSage reliable for our users. Report it now→ savesage.co/xJeJCg16BZb

@only01Essential Facts. Real wins come from pattern recognition, not crowd movement.

Bug Bounty 101: Don't hunt on what everyone else is currently looking at.

@zonduu1 That’s the dream scenario 😅 Find once → weaponize → sweep programs. Hope you hit multiple before the wave starts.

There goes the first one 🥳

@sin99xx GG 🔥 Consistency pays. 1 valid finding > 100 duplicates. Keep hunting.

Rewarded in one weeeeeeeeeeeeek

@the_IDORminator @Bugcrowd Supplemental assets announcements are basically recon season. Interesting how many “quick wins” later turn into full chains.

T-mobile just added like 100 sites into its supplemental assets on @Bugcrowd -- I'd head there ASAP... bugcrowd.com/engagements/t-… I'm still on #bugbounty break so I need you all to go out there and get the bugs for me! If I were me, and I am, I'd start with search engine dorking interesting domains (duckduckgo, yandex, yahoo) and see if you can find any easy wins. Use GAU, Waymore, etc -- quick exploration mode GO.

@bts_leandro Respect. Some of the most valuable bugs are the ones that feel unfinished.

First bounty 😃 I expected more from this bug, but it's okay.

@Krevetk0Valeriy @Hacker0x01 Respect. Turning weird behavior into real impact is the hardest part of bounty. Many good bugs die right before submission.

Yay, I was awarded a $20,000 bounty on @Hacker0x01! And that was the most "expensive" system documentation I have ever seen so far 😆 hackerone.com/krevetk0 #TogetherWeHitHarder

@Zaddyzaddy Nice momentum 🔥 Curious how many promising findings still get abandoned before report stage. We’re trying to help hunters bring extra eyes when they get stuck → bugunstuck.com

Over the last 14 days, our BugBunny collective submitted 37 HackerOne reports. So far: 7 payouts received 25 reports still open 7 bounties pending We're opening 10 free beta slots for experienced bounty hunters who want to test BugBunny on permitted targets. Reply "beta" or DM.

@intigriti bugunstuck.com - If you're Stuck on a vuln and need a second pair of eyes!

what's your most used bug bounty tool? 😎

I had this on my backlog for a while, but here it is: an article explaining a vulnerability I discovered with @fattselimi years ago. medium.com/p/i-found-a-ba… I hope you learn a thing or two ✌️ happy hacking fam 🫶

Hello, the agent found multiple XSS on an open source project on GitHub i deployed it locally on Docker and set up one account. After the agent found the XSS, I told him to write the steps he followed to be shared with everyone. It was an interesting one how he navigated the website step by step and linked the pieces together to achieve an exploit Whenever I find any interesting results, I'll make sure to share them. Finding Stored XSS in a CMS — An Automated Agent's Approach TLDR - Target: a modern CMS using Vue.js frontend - Found 2 stored XSS in 22 minutes (157 tool calls) - Root cause: asset title rendered via v-html without escaping - Impact: session hijacking (no HttpOnly cookie), admin takeover How It Went 1. Logged in, checked headers — no CSP, no HttpOnly on session cookie. Vue.js frontend means auto-escaping by default, so I needed to find where the app opts out. 2. Downloaded all JS files and grepped for dangerous sinks: innerHTML, v-html, insertAdjacentHTML. Most were sanitized or safe. One file stood out — the asset field renderer built raw HTML with template literals and fed it into v-html. 3. Tested many surfaces that did NOT work: model names, content fields, WYSIWYG editor, login redirects, API errors, color/tag fields — all escaped or stripped. 4. Found the gap: asset titles go into the render function unsanitized. Uploaded a text file, set the title to `` (29 chars, fits the 30-char truncation limit). Linked it to a content item. Visited the items list — alert fired. 5. Confirmed impact: document.cookie is readable (no HttpOnly), no CSP blocking inline scripts. Any user with asset permissions can plant the payload, and it fires when any admin views the page. Key Takeaways 1. Source code analysis beats blind fuzzing — reading JS files and finding the exact sink saved hours. 2. v-html is the Vue XSS keyword — every v-html that touches user data is a potential bug. 3. Template literals are just string concatenation — they do not escape HTML. 4. Asset metadata is an overlooked input surface — most testers focus on content fields and URL params. 5. Truncation is not sanitization — 29 characters is plenty for an XSS payload. #BugBounty #AgenticAI #InfoSec

Keys to JWT Assessments - From a Cheat Sheet to a Deep Dive - Aaron James @TrustedSec trustedsec.com/blog/keys-to-j…