Bhautik Patel

Attended @BsidesMussoorie ⛰️—great experience and an amazing conference! Big thanks to @4non_Hunter for organizing such a great conference . Always good catching up with @amoshkov 🤝. Great to meet my fellow colleagues. Looking forward to attending more such conferences 🚀

@Ari_crypt0 Fully manual hunting

@bhautikXploit how much you use ai an automatic tools and scripts

Crossed 500+ reputation on HackerOne 🎯 Biggest lesson: Duplicate ≠ Invalid. It still means you found a real issue. Learning, hunting, improving 🚀 hackerone.com/bhautikxploit?… #BugBounty #HackerOne #InfoSec

@DuyHoang51448 @yeswehack Thanks

@bhautikXploit @yeswehack Congratulations

🚀 Proof That Manual Testing Still Wins 🐞 Happy to share a small win from my recent work on @yeswehack 📌 10 vulnerability reports submitted ✅ 9 accepted 🔁 1 marked as duplicate (part of the game!) #BugBounty #YesWeHack #CyberSecurity

@4osp3l @yeswehack Thanks

@bhautikXploit @yeswehack Congratulations

@yeswehack Thanks for the amazing platform

@bhautikXploit Keep it up 🚀

🚀 One of my early wins of 2026 I’ve successfully reported a Critical SQL Injection vulnerability, which has been triaged and accepted by the program. #BugBounty #infosec #Cybersecurity

Kicked off the year with my first SQL Injection report triaged on HackerOne 🎯 Identified a potential Time-Based SQL Injection via the status parameter. A small win, but a strong start and great motivation for the year ahead 🚀 #BugBounty #SQLInjection #HackerOne #InfoSec

Big #Bugbountytip / #bugbountytips Google Services Hunting Google services are amazing, and for bug hunters, it's amazing as well. In some cases, you can get some P1-P2-P3 from these services, such as Workspaces / Sheets / Groups / Drives / Etc... In groups: you can access emails / internal data/ credentials In Sheets, you can access PIIs / Edit access In Drive: you can access backups/ PII / Etc... still hard to find and It was an issue how to make good and at the same time fresh dorks for bug bounty programs Then I found out that a lot of links have the same path, and it was like this All Google resources I've found sites.google.com/a/domain.com/x… docs.google.com/a/domain.com/x… groups.google.com/a/domain.com/x… drive.google.com/a/domain.com/x… mail.google.com/a/domain.com/x… spreadsheets.google.com/a/domain.com/x… spreadsheets0.google.com/a/domain.com/x… spreadsheets1.google.com/a/domain.com/x… spreadsheets2.google.com/a/domain.com/x… spreadsheets3.google.com/a/domain.com/x… spreadsheets4.google.com/a/domain.com/x… spreadsheets5.google.com/a/domain.com/x… spreadsheets6.google.com/a/domain.com/x… spreadsheets7.google.com/a/domain.com/x… spreadsheets8.google.com/a/domain.com/x… UrlScan Dorking: page.url:"sites.google.com/a/*" page.url:"docs.google.com/a/*" You can replace * => the program domain Google Dorking: site:sites.google.com/a/* "inurl:/a/" Or for specific domain site:sites.google.com/a/* "inurl:/a/domain.com" GitHub Dorking: "sites.google.com/a/" Or for a specific domain "sites.google.com/a/domain.com" Shodan Dorking: "sites.google.com/a" Web Archive web.archive.org/cdx/search/cdx… Don't forget: It's not just sites.google.com still you have to look for docs/groups/mail/drive/spreadsheetsX still working in Google Research and will add more and more soon ...... Happy Hunting♥ #bugbounty

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

🎉 We’re absolutely thrilled to be a part of this amazing event! 🚀 Bugquell is incredibly excited to support Security BSides Mussoorie 2026 as a Cheering Sponsor. It's an honor to be aligned with such a vibrant community of security professionals and enthusiasts.

How in 1-hour recon and working I was able to locate 0day (R-XSS) I've been invited to a private program and the scope was (anything owned by the program is in scope) **Step1** I start looking for 3rd party over Urlscan by using the Dorks Program.* Program-* then I found an interesting 3rd party and the domain looks like program[.]app[.]3rdParty[.]com **Step2** i collected all the endpoints for *.3rdParty[.]com then I added to Wordlist and i run it on the app then found an interesting endpoint including (wvstest= parameter) **Step3** by using @xss0r xss payloads I got a valid hit on the payload ``` orwa%27\">

@yeswehack 🎃

Last-minute costume idea: hacker at @YesWeHack 🕷️💻 Don't have what you need? Try your luck to win a swag pack! To enter: 👉 Follow us 👉 Comment your fav Halloween emojis Winners (one here, one on LinkedIn) will be announced Monday, 11AM CET. Good luck, spooky hackers! 💀

I earned $650 for my submission on @bugcrowd bugcrowd.com/bhautikxploit #ItTakesACrowd

$1,000 GIVEAWAY 🎁‼️ Here’s how to enter: 1️⃣ Fill out the ITMOAH survey 2️⃣ Like this post 3️⃣ Comment your fave tool 4️⃣ Repost bc your friends deserve a chance too Giveaway closes Sept 30 at 11:59pm ET. One hacker takes home $1K. 20 others will score $200 each. Already filled out the survey? You’re entered to win! If not, now's your chance: surveymonkey.com/r/bugcrowd-itm…

@Bugcrowd @krishnsec Burp

🔐 Looking forward to connect with fellow security researchers, bug hunters, and infosec professionals! 🚀 Always excited to share knowledge, learn, and collaborate. 👇 Check out my profile below! x.com/bhautikXploit

🚀 @Sunrun VDP is LIVE with @Bugcrowd 🔐 Safe Harbor • fast triage • clear scope 📫 Report here → bugcrowd.com/engagements/su… 🎁 Swag for valid submissions (limited) #VulnerabilityDisclosure #BugBounty #AppSec #InfoSec #CyberSecurity #Security #Bugcrowd