UDAY 🥷

Day~1 Today, I went through 38 write-ups about (IDOR) vulnerabilities. Whenever these write-ups present Burp Repeater tabs, URL endpoints, or API data, I could guess around 90% of the exploration process. My notes: heyiamuday.notion.site/IDOR-Write-Ups…… #bugbountyjourneyDay1

there is no deeper hell than being fully aware that you are wasting your potential

Seeing a lot of fear mongering about 'required' use of AI in bug bounty. My approach hasn't really changed in the last couple of years, yet I'm sitting with 17 high / critical bugs from the last 10 days. Currently the only thing I use AI for in bug bounty is programming.

I disagree a bit here. I believe we’re no longer talking about companies investing a ton of money and getting almost zero return, but rather about individual researchers. These tools are very accessible and are already creating a huge impact if you know how to use them. Speaking for myself, with a $200 investment, I already achieved a 70x return in bug bounties in a single month. So the impact is already there, and for me, this is no longer “hype”… just saying. 🤷🏻

day 2: how to hit bounty quick $1,500. Tip for bug bounty hunters: every AI chatbot on a website is an attack surface now. I asked a company's AI support bot to "help me understand this error." The error was a base64-encoded XSS payload. The bot decoded it. Rendered it in the DOM. Zero sanitization. That gave me JavaScript execution on their site. From there: → Cookie downgrade via OAuth flow → Stole authentication tokens → Full account takeover I reported it. 4 months of silence. Then they quietly patched it and told me they "couldn't reproduce it." So I sent video proof. Timestamps. Working PoC. Everything documented. $500 → $1,500. Every company is rushing to ship AI features. Nobody is auditing the output. If it renders in the DOM, it's probably vulnerable. Go test them. Free XSS everywhere. And if they try to lowball you — push back. Always push back. Full YouTube lab breaking down the entire chain if this hits 2,000 ❤️

@w4rcrypt Reports submitted vs resolved

Bug bounty tip most beginners don't know: Don't hack Google. Don't hack Apple. Don't hack Facebook. Start with small startups on HackerOne that have 0-5 hackers looking at them. Less competition = faster first bounty even public programs. I found my first bug in a program after 1 month full tiem Paid $2500. Next post: how to find YOUR bug type — the one thing you get so good at that money becomes inevitable subscribe to be alerted when it comes .

Physics is fascinating!

June’24,I started 365-day bug bounty challenge. Quit on day 363 just before my first bounty That failure taught me more than success ever could. Today,I restart with the 12-Week Year. Posting every Monday until my first $10K bounty heyiamuday.github.io/bug-bounty-jou… x.com/heyiamuday/sta…

Every time I open X, I notice in the bug bounty / infosec space, people are posting anything these days copy-paste threads, fabricated success stories recycled “recon tips,” tools they’ve never actually used, resources they haven’t even read - just to grab likes and followers. No depth. No real testing. No responsibility. And I genuinely wonder: how are newcomers going to learn in all this noise? Sharing knowledge is good. Teaching is powerful. But posting unverified, half-understood, fabricated success as cybersecurity content just for engagement helps no one - and sometimes even misleads beginners. No one need more “security influencers.” People need more researchers, who share there research how they do, what they learn new, what is really working and what not. Do it in hard way. Stop chasing numbers. You can lie today with posts, threads, and recycled “tips” but one day, all that so-called hard work will be exposed. Because you’re not just fooling others, you’re fooling yourself. Followers don’t equal knowledge. Likes don’t equal skill. In security, sooner or later, someone will look inside your work and realize: there’s nothing there just noise. If you read this far and it resonated, repost it so it reaches the people who need to read it. #BugBounty #Hacking #InfoSec #CyberSec #Cybersecurity

2025 stats: ~200 reports sent 133 paid reports + 18 pending It still feels so surreal, a year ago I barely had 1 paid report. Next year: -Volume < higher payouts -More learning -More collaboration Thank you @Bugcrowd and @yeswehack for the best student job I could ask for!

📍 Araku, Andhra Pradesh. Unseen side of this amazing place from my recent shoot.

a mistake that cost me 5 years: thinking preparation was progress. reading every book. taking every course. planning every detail. meanwhile, someone dumber than me started badly and figured it out. preparation feels productive but it's often just fear dressed up as strategy. you learn to swim by getting in the water, not by studying water.

This Is Like Paradise📈

📍Vanajangi, Andhra Pradesh Magical layers never seen before here

The best way to learn something is to do it, and then revise what you learn again and again. Read it at least five times over a few days or a week and you’ll see the results. Think about real life memories. You remember them because you replay them in your mind many times.. The more you think about something, the deeper it gets stored in your memory.

@ManasH4rsh Thank you bhai. Apart from bugbounty, i have a full time job and I am an active member of RSS🚩 ( RSS ka 100th yr, have lots of work to do)

I've made $20K+ from SSRF bugs. I've made $20K+ from IDOR bugs. I've made $20K+ from XSS bugs. I've made $20K+ from access control bugs. You just need to be persistent.

What held you back from reaching your bug bounty goals in 2025 and what will you change in your approach in 2026?