IronCardinalSecurity

Our solution to the incredibly monotonous recon tasks at the beginning of Bug Bounties is now live as a pre release beta! Access here! palomasecurities.com Run fast, proof‑based recon on authorized bug bounty targets and get a clean, exportable summary in minutes. I have done a ton of testing and using this myself and I personally love it, any feedback or roasts are appreciated, let me know what I missed!

@AbhiX10010 Well earned! Congrats!

Heartfelt thanks to my 1,000 followers! Your support means the world. Excited for what's next! 🙌

@Dedrknex Very cool rohit! What’d the process look like to find this

Found a very cool bug leaking PII of users /Abc/cart/current/1234 authenticated 200 Ok /Abc/cart/current/1938/ 401 /Abc/cart/anonymous/1938 200 OK Response: anonymous| email : test@xym,phone number, name, address etc!!

@ArjeSec @Bugcrowd Parts of bug bounty people rarely share! Still a great learning opportunity

These things happen too this is motivation that you are on the right path and you should not stop. Awesome collab with my friend from httponly XSS with zero impact to user profile manipulation #xss #stored #csp #bypass #origin #sameorigin #csrf #chain #bugcrowd @Bugcrowd

@Icare1337 @yeswehack Super cool! How long did you spend on this?

Just got a reward for a critical vulnerability submitted on @yeswehack -- Improper Authentication - Generic (CWE-287). yeswehack.com/hunters/icare #YesWeRHackers

@hackrkid Nice find! How long did this take?

Made a report on the bugcrowd platform today, please don't be a N/A or duplicate 🙏 Got the idea for this bug during my sleep

@696e746c6f6c @Hacker0x01 Congrats ! Great find!

I was awarded a $2,500 bounty on @Hacker0x01 by TikTok. Long time no see TikTok. Still feels like a good comeback.

@r007User Congrats!!

Opened my HackerOne account in 2023, haven't hunted on the platform since then. Took a long break. Back now. Now we wait.

@hugopicanzo Daily intrusive thought tbh

It’s oficial - I suck at Bug Bounty hunting :/

@Xl1m1tl3ss @Bugcrowd Good find at least!

Duplicate, still happy its valid issue very soon will find a bug that not duplicate 🤧 @Bugcrowd #Hacking #BugBounty #securityprogram

@xlsize0bruh @Hacker0x01 Congrats! That’s awesome!

Yay, I was awarded a $400 bounty on @Hacker0x01 by TikTok! hackerone.com/xlsize0bruh #TogetherWeHitHarder

@hamidonsolo Fantastic write up! Great work

Two characters broke an entire platform. ../ That's it. That's the payload. for $2,500. I put a path traversal in a URL hash fragment — the # part that the server never sees. No WAF caught it. No server log recorded it. No security tool flagged it. Because the attack only existed in the browser. JavaScript parsed the hash. Built an API request with it. Zero validation. I redirected it to the email change endpoint. One click: → Victim's email changed to mine → Password reset sent to my inbox → Full account takeover → Every secret in the system leaked → Victim locked out permanently I almost didn't test this feature. It looked boring. Nothing interesting. I was about to close Burp and go to bed. Glad I didn't. $2,500. I wrote the full story — the 1am discovery, the chain, the severity fight, and why the boring features are where the best bugs hide. Full writeup ↓ patrickbatman.hashnode.dev/how-i-took-ove…

Check out our ReconKit Pro Demo at the attached link! palomasecurities.com/recon/ReconKit… I’ve been very blessed lately leveraging recon from this tool into reportable findings! Check it out if you have the time!

Happy Blessed Friday! Was able to kick it off with a hardcoded API token found in public JS🤞🙏 Big recon assist with Pro palomasecurities.com!

@DuckyWantDucky Love the updates!

Day 112/365 of the Until get 10.0 Critical report 📤 Reports Submitted:- 1 🟠 triaged - 1 🟦 new status - 0 🟤 Duplicate - 0 🟣 New -0 💰 Paid - 0 💻 Worked- 11 HOUR #BugBounty

@OriginalSicksec Very impressive! How much time did u put into it?

@ironCardSec Built it just for fun

Built an MCP server for HackerOne — search your reports, read triage conversations, check program scope, analyze your hunting patterns, and track earnings. Works with any MCP-compatible client github.com/Sicks3c/hacker…

@Zierax_x No one more deserving! Congrats!

Hi,hackers Now I am officially a security researcher, my latest research have been accepted in IEEE AIITA'26 "PTRR: A Metacognitive Framework for Measuring and Mitigating Automation Bias in AI-Assisted Vulnerability Research" I hope you find it well <3 doi.org/10.5281/zenodo…

@JoaoGomes12243 @Hacker0x01 Congrats that’s awesome!

Yay, I was awarded a $1,000 bounty on @Hacker0x01! hackerone.com/zig_shark #TogetherWeHitHarder

@ertugrulphp Free premo I guess

The company has over 10m users and the annual premium plan is $80 "Reports that do not relate to legitimate data privacy or security concerns may be accepted as Informational, but will not be rewarded"

@DhaferThamer @Hacker0x01 Congrats!

Yay, I was awarded a $4,250 bounty on @Hacker0x01! hackerone.com/dhaferx66 #TogetherWeHitHarder