Jenish Sojitra

Last month was my highest in bug bounty so far with almost $131k in bounty. Total paid reports: 18 Average reward: $7.3k Category: most were logical findings via reversing mobile applications and discovering internal endpoints leading to code execution and missing auth etc

Only winner here is Anthropic

oh god... Triagers I feel your pain.

@terjanq Is there a benchmark?

Have been working on agentic vulnerability discovery for a while now, happy to share about CodeMender! 🚀🚀

Hey @Hacker0x01 , Huge shoutout to triager "h1_analyst_malenia" 🌟 I’m seriously impressed by the level of professionalism, technical expertise and empathy they’ve shown over the past few months. Thank you!

@Google Gemini API is down half of the time, what’s the use?

Gemini 3.5 Flash is built to help you execute complex, agentic workflows. 3.5 Flash rivals flagship models to deliver frontier performance for agents and coding, at the lightning speeds you expect from the Flash series.

Meet Gemini 3.5 Flash — our strongest agentic and coding model yet. It delivers frontier-level performance at 4x the speed of comparable frontier models — often at less than half the cost. Generally available, starting today. 🧵 #GoogleIO

@slinafirinne congrats, what do you mean by accelerated bug bounty payment?

Thanks again Apple for another accelerated bug bounty payment. 🎯🎯

@rez0__ @TakSec I am facing issues with context rotations any idea? Context window is so small and every time it hits context it restarts

Here’s the sauce: - agent md file with lots of disclaimers about how it’s approved testing - a bunch of hacking skills - /goal find a crit on target . com That’s literally 90% of the way there and enough to blow anyone’s mind who hasn’t been convinced yet.

@orange_8361 Insane 🔥

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

@GitHubSecurity Is the bounty number correct?

Here are our April bug bounty stats! ✅325 bounty reports submitted 👥226 hackers participated in our program 💰Awarded $2,367 in bounties Found a vulnerability? Submit it here: bounty.github.com.

Seeing Claude Usage Policy banner despite being a part of Claude Cyber Verification Program, anyone else seeing this?

@fr4vian I agree

Opus 4.7 is THE worst model I used so far, so waste of money and time...

@Yassineaboukir @Hacker0x01 Congratulations brother, great meeting you, see you soon

2nd MVH in the bag at @Hacker0x01 H1-21 Live Hacking Event in Lisbon 🇵🇹

Arrived in Beautiful City of Lisbon for @Hacker0x01 LHE #h1-21 🇵🇹

@rez0__ @Cloudflare Thank you for calling this out.

For one of the most important companies on the internet, @Cloudflare's bug bounty program doesn't pay that well

@outofofficedaku Lmfao

Coming out of VFS after submitting the docs and dodging all attempts for them to make traveller pay for Premium Lounge or any unnecessary add-ons

One way to deal with AI spam reports would be to make program private with limited researchers and keep VDP only public. I know a couple of program managers are already considering this

@FabianHedin @weezerOSINT @Lovable You can access the reports and validate on your own despite HackerOne triagers decisions as you have full viability and final say.

Thanks for bringing the issue to our attention. - On the first point, we switched so that free users have private projects by default. This was rolled start of November 2025, and released in December 2025. - Unfortunately our HackerOne partners thought public access of public projects’ chats was the intended behaviour. We are reviewing the triage process as a result of this, to ensure we avoid false-negatives in the future.

We’re sorry our initial statement didn't properly address our mistake. Here's what a public project on Lovable means, and how we got to where we are today: In the early days, people didn't know what Lovable was capable of. So we wanted to make it easy to explore what others were building, as a way to spark ideas and lower the barrier to getting started. Like scrolling GitHub or Dribbble: you browse projects to see what's possible, then go build your own. When you create a project on GitHub, you can make it private or public. Lovable worked the same. Users had a "Public" or "Private" option right in the chatbox. A public project meant the entire project was public, both chat and code. “Just like a public project on GitHub," we thought. Over time, we realized this was confusing. Many users thought "public" just meant others could see their published app, not the chat of an unpublished project. That's reasonable. On the free tier, users originally couldn't create private projects. They had to upgrade to a paid plan to do so. In May 2025, we changed this: users on the free tier could choose to make their projects private. For enterprise customers, the public visibility setting was disabled altogether. And in December 2025, we switched to private by default across all tiers. We also retroactively patched our API so public project chats couldn't be accessed, no matter what. Unfortunately, in February, while unifying permissions in our backend, we accidentally re-enabled access to chats on public projects. This was reported through our vulnerability disclosure program (via HackerOne). Unfortunately, the reports were closed without escalation because our HackerOne partners thought that seeing public projects’ chats was the intended behaviour. Upon learning this, we immediately reverted the change to make all public projects’ chats private again. We appreciate the researchers who uncovered this. We understand that pointing to documentation issues alone was not enough here. We’ll do better.

Need to say this now: Submitting vulnerabilities to companies without established bug bounty programs should be normalized and should not be prosecuted

@_RikenShah Where do we claim this after visiting?

If you attended YC Startup School and are not using your credits, I will buy them for ₹100,000💰