Hussein Daher

The slides of my talk "Bug Bounty on Steroids" @ @bsidesahmedabad are available at webimmunify.com/bsides #bugbounty

🇱🇧

Rule number 1 in Bug Bounty is only hack targets you enjoy hacking

Anyone has a contact at Apple Security? Bug bounty related

@ytrewq12334 It's not that deep. Just pure unprofessionalism and laziness.

Long story short - triagers should ask when they can't reproduce instead of arbitrary closing reports. This impacts every of us and if I didn't have direct contact with the team this would eventually get buried.

@GodfatherOrwa Too complicated for some 😬

@HusseiN98D All the time I keep saying, if the triager can’t reproduce/ or not understand the bug, just create a blocker for the client Don’t triaged , and for sure done closed

@Hogarth45_ Yup, I'm also top 1 on this specific program - otherwise I wouldn't mind

@HusseiN98D You can have a positive 10 year history with a platform and triagers will still treat you like you're trying to BS them and sneak a payday.

@XHackerx007 16 of them 😅

@HusseiN98D HOW DARE HE CLOSE HUSSEIN’S REPORTS AS N/A!

X algorithm is becoming garbage. All I see is politics. Same there ?

Wishing everyone a happy new year filled with love, good health, growth, and moments worth remembering. 🎆

We're looking to connect with individuals or companies who have deep expertise in ransomware data recovery and decryption. If you specialize in decryptors, post-incident recovery, reverse engineering ransomware, or large-scale data restoration, we'd like to talk. DMs open or reply below.

when filename="xx" was used, the WAF was not looking inside the value. so "_response": and others were not blocked.

For ref, I was playing with adding filename="xx" to the params - returns 403 now vs 500 before. GL

If you find something "interesting", don't sleep on it as Vercel seems to be patching our "close attempts" from their logs.

@cramforce That's cool, but it seems like you are patching "close payloads" from our tests? I was working on something which was working and the same request now returns 403.

Vercel has stopped allowing new deployments of next.js applications vulnerable to CVE-2025-66478. If you have not upgraded, the time to do so is now. Exploits are in the wild and WAF rules are not sufficient indefinitely vercel.com/changelog/new-…

AI finds vuln --> AI fixes vuln It's an AI vs AI war now.

@blackhydra443 @GodfatherOrwa @NahamSec @XHackerx007 Well done!

Started with HTMLi, ended with RCE, and finally received appropriate letter from NASA... Special thanks to @GodfatherOrwa, @NahamSec, @XHackerx007, and @HusseiN98D for always sharing knowledge with the community ❤️ #bugbounty #Infosec #NASA #CyberSecurity #bugbountytips

@mcipekci @Burp_Suite would've been so much easier if there was a button

@HusseiN98D @Burp_Suite Copy project to new machine and do not take over collabs etc should work when it asks take ownership

hey @Burp_Suite , is there any way to reset burp collab? I keep getting tons of these spam

Love is sharing potential vulnerabilities notes