Mohamed Yusuf

After 4 months, 28 rejected reports, countless sleepless nights, and moments I almost gave up… Today, I finally got my first valid bug. One triaged report. One step closer to my dream. Bug bounty is hard, but giving up is harder. This is just the beginning. 🚀 #BugBounty

all easy bugs , just reading js files, copying endpoints, and throwing them into repeater😅

@Eyax0 @Bugcrowd Congrats

My first payout $$$$ on @Bugcrowd 🖤

🔥 Ultimate IDOR Testing Checklist 🔥 📌 mrdesoky0.notion.site/Ultimate-IDOR-… IDOR is still one of the most impactful bugs in bug bounty. Many critical findings start by simply changing an ID in a request. 💡 This checklist covers: ✔️ ID & UUID manipulation ✔️ API & version bypasses ✔️ Multi-account testing ✔️ GraphQL & WebSocket ✔️ Race conditions & batch abuse ✔️ Mobile, gRPC & blind IDOR If you want high-impact bugs, don’t skip this. 🚀 #bugbountytips #bugbounty #infosec #cybersec

$600 bounty from a simple misconfiguration found during recon. Exposed database credentials ,company's internal zoom meetings and some kt sessions. #bugbounty #infosec

@wearehackerone Quit and join another program

Test 50 endpoints Find NOTHING

@pent0ss @Bugcrowd Congrats bro keep hunting

مفيش احلى من إنك تنزل أجازة من الجيش تلاقى البونتى مستنياك 🤤😂 الحمد لله المنّان الوهاب ❤😍 First bounty at @Bugcrowd

@yoyomiski Ho to be using Ai on bug bounty ?

Today triaged 4 bug > 2 bugs IDOR and LFI were found using AI. It discovered issues that I had previously missed during manual testing — really amazing 🥳🥳 > 2 bugs were found manually as usual Let’s keep pushing forward! #bugbounty #AI #IDOR #LFI

@Atomsmade @Bugcrowd Business logic errors

@Edx103 @Bugcrowd What bug bruh

I earned $300 for my submission on @bugcrowd bugcrowd.com/h/{id: "mohamed_yuusuf"} #ItTakesACrowd

P3 😀 #bugbounty

@Bugcrowd why does your triage teams to triage my submissions sometimes take about a week? My report has been waiting for triage even though the program lists an expected triage time ?

Me when I see all the new bug bounty programs on Bugcrowd

How long does it usually take for the @Bugcrowd triage team to review a report? My submission has been in triage for about a week even though the program has an expected triage time. Is this normal? #bugbounty

It has been 1 month since my report was triaged by the @Bugcrowd triage team, but @intercom has not provided any response or taken any action on the submitted report. Hi intercom internal security team @intercom Could you please check the status and provide an update?

@AkashHamal0x01 It's true

Hunting on Bugcrowd be like : - 1 week gaps between replies = late triage - No manual severity? Found a vulnerability that is P2 or P1 but impact is not in VRT category? congratulations you cannot select severity and now your report will take like 1 week to be seen

I made close to $10,000 from bug bounties this month. I'm 19. Still in engineering school. Here's what I didn't show you. I found a Critical RCE — Remote Code Execution via path traversal on a company's server. The kind of bug that pays $5,000-$20,000. Duplicate. Someone found it 12 days before me. $0. Same work. Same skill. Same report. Wrong timing. That's one of dozens. For every bounty I post, there are 15+ reports that got: → Duplicated → Marked informative → Ignored for months → Closed as "not applicable" → Lowballed after months of follow-ups But you know what I do when that happens? I wake up. No emotion. No hate. I open Burp Suite. Next target. Next report. Because if I don't, someone else will. Every day I take off is a day someone else dupes me on the next find. So I show up. Even when I don't feel like it. Even when it hurts. Bug bounty is not "find bug, get paid." It's find 50 bugs, fight for 6, get duped on some of your best work, get ghosted on others, and still show up the next morning. The $10K months are real. But behind every mountain is a hundred steps nobody sees. If you're starting out and getting duped and rejected — that IS the path. You're not doing it wrong. You're doing it. Keep going.

Bug bounty tip most beginners don't know: Don't hack Google. Don't hack Apple. Don't hack Facebook. Start with small startups on HackerOne that have 0-5 hackers looking at them. Less competition = faster first bounty even public programs. I found my first bug in a program after 1 month full tiem Paid $2500. Next post: how to find YOUR bug type — the one thing you get so good at that money becomes inevitable subscribe to be alerted when it comes .

@hugopicanzo @Bugcrowd 14days

@Edx103 @Bugcrowd So fast! How much time between you reporting and that final answer? I’m starting to think that I have a bad taste when choosing programs

Triaged 🔥 #bugbounty @Bugcrowd

@4osp3l 🔥🔥🔥

Triaged 🔥

@RemonAdnan2 @Bugcrowd Thank you so much!

@Edx103 @Bugcrowd congrats