Krigshaw

@DevSlashNulled Hey man, can you DM me. You'll want to hear what I have to say.

Hey everyone, we want to share an update on support and account security. First, we know that support response times haven't been where they should be. The response to launch was massive and far exceeded what we anticipated, which meant our existing support workflows and tooling weren't built to handle that kind of volume. Over the last month, we've invested heavily in new tooling and processes to meet the demand, and our support team is now equipped to action requests much faster. We're actively working through the backlog, so if you're still waiting to hear back from us, we haven't forgotten about you, your ticket is in the queue and we're on it. On account security specifically, we've been investigating reports of compromised accounts and in the vast majority of cases, we were able to identify the cause: It has been other malicious software that was installed unknowingly by the player. Please be mindful of what you install and run on your device. We'd also strongly encourage everyone to enable authenticator based multi-factor authentication on your account for an extra layer of protection, even if your password is compromised, MFA can help keep your account safe. We recommend using an SSO sign in (Google, Discord, etc) and authenticator based MFA, this will give your account a higher level of security. This also allows you to disable password authentication on your account. If you must use email + password, make sure your Hytale account has a strong and unique password that you're not using anywhere else. Password reuse is one of the most common ways accounts get compromised across services. Just as importantly, avoid passwords that are minor variations of ones you use elsewhere. These patterns are easy to guess once one version is known, a password manager is a great way to generate and store truly unique passwords for each service without having to remember them all. Thank you for bearing with us and we'll keep you posted as things continue to improve.

@intigriti @vincebye It's great to see that Intigriti responds to people. I wish more bug bounty platforms were like this. Looking at you @immunefi 👀

@vincebye Hi there! This is on our radar and will be resolved shortly hereafter. Your patience is appreciated. Thank you!

Submission limit reached! Wait for your submission to be triaged. @intigriti

@xssdoctor @Jhaddix Makes sense. You can tell the kind of guy he is by the fact he sticks his neck out to defend hackers against corrupt bug bounty platform practices in his talks.

About a year and a half into my hacking journey, I was pretty bummed out. I had done so much work and learned so much, but I wasn’t finding any bugs. I decided to do something drastic, and I sent a discord message to a hacking legend, @Jhaddix…

@zseano I don't even care at this point, I do this because I have a passion, not for them.

bug bounty programs don't care if you focus on them bug bounty programs don't care if you stop focusing on them you are easily replaced.

@7h3h4ckv157 This is meant after you get the code by some other means. So it is a way to get persistent access if you can extract the code then get an access token with it but can't get refresh tokens for example.

I understood the case in detail, but as an attacker, what can I do? What’s the impact?

@Jhaddix Thanks

Words of great encouragement

@immunefi Yes. Be ethical.

"I did a crypto heist … Crypto is all fake internet money anyway." That's what Jonathan Spalletta allegedly told an associate after draining over $50M from Uranium Finance in 2021, forcing the DeFi protocol to shut down. He then bought...pokemon cards with the funds. Now, he's surrendered to US authorities and is facing federal charges for computer fraud and money laundering. It doesn't matter that it was 5 years ago. It doesn't matter that he negotiated a "bug bounty" from the exploited gains. If you find a bug, report it. Don't wait for the feds to show up at your door.

@thedawgyg Yessir. All it takes is once and it pissing off the right person and you're done. Definitely not worth it especially since most people are already sketched out by ethical hackers because they are "hackers". No need to give them any reasons for anything.

thats how i feel. people think just because it hasnt happened that somehow means it CANT happen. but it only takes 1 single example to set precedent. and it just isnt worth it. once laws are passed to actually protect us its one thing, but right now the fact so many hunters will risk their freedom for a few thousand dollars is absolutely insane to me.

I would not recommend doing this first 'tip' on this list. ►⠀Pre-position on acquisition targets: find bugs before the deal closes, document everything with screenshots This would open you up to all kinds of potential legal issues and you could even end up tanking the deal (which would likely upset the legal team enough to come after you for violating CFAA). There is absolutely nothing about this that is legit/legal. If they have an existing bug bounty program or VDP your breaking the rules by 'saving' the vulns. If they dont, your illegally hacking a company that has made an acq announcement and the vast majority of companies will not let you report a vuln on a new acquisition for 6-12 months post close. It is insane to me that so many people are willing to openly discuss them breaking the law/RoE.

@immunefi I can't join your platform because it doesn't allow people to unless they have Passports with chips in them, and since I'm a United States citizen that has never traveled abroad I do not have a passport and even though I have all forms of valid US identity forms it doesnt matter.

We now have more than 80,000 users registered on Immunefi. It's time to join us.

how do you pronounce cURL? 🤠

@Hacker0x01 This sounds great.

Today, we’re launching the HackerOne Bug Bounty Program Maturity Framework, setting the standard for how programs should operate. Researchers know it’s about more than just rewards. It’s also about clear communication, timely payouts, interesting scope, and well-defined disclosure policies. Thank you to the community and the Hacker and Technical Advisory Boards for your role in defining what makes a gold-standard program. Learn more 👉 bit.ly/4rEce1c

@ctbbpodcast Awesome example of thinking out of the box.

If you've got a ton of old reports on a target (duped included), that might be money sitting there. This is dawgyg's favourite bug, the one that bought him a GTR in cash. He opened an old Yahoo SSRF report he'd filed years before and started messing with it. Yahoo had blacklisted the AWS metadata IP `169.254.169.254`, so he tried octal-encoding the first octet: `169` → `0251` and it somehow worked. It doesn't even look like a valid IP, but Yahoo's server parsed it fine and the blacklist didn't catch it either. Then he pulled up every SSRF report he'd filed against Yahoo over three years and tested the same encoding on all of them. Worked on every single one. 18 unique vulnerable endpoints paying $10k each. $180k for a bug that he doesn't understand to this day, what matters is that Yahoo's servers did. :p

@daud0x0 Thanks a lot. Can't stand when requests clear before I can analyze them.

Bug hunters: small Chrome DevTools tip that saved me a lot of time. took me way too long to notice the Network → “Preserve log” checkbox in Chrome DevTools.

@ArchAngelDDay Fuzz faster you fool f f u f

Claude thinks ffuf is pronounced eff-eff-yew-eff

@yashar0x @immunefi Congrats

I’m so proud of this one! This bug was a complex cryptographic issue that could’ve let an attacker drain the entire TVL (billions). The team fixed it immediately, and even though it wasn’t in-scope, they decided to pay a goodwill reward as a token of appreciation 🫠

@Jayesh25 @damian_89_ Hello RO Champ sensei -Merci

I've had firsthand access to ArgosDNS and can say it’s produced quite a few solid results that I didn’t even have in my own database. Unlike many tools, the data actually feels meaningful rather than just raw volume. I've known @damian_89_ a while and have been chasing him for ages for his recon secret sauce 😄 From what I’ve seen so far, ArgosDNS is doing a lot of smart permutations, picking up real-world naming patterns, scanning cloud certs, and doing a ton of crawling behind the scenes to get this data. It’s also nice that the dataset is already deduped so you’re not dealing with garbage. Feel free to give it a shot at argosdns.io

@zseano Lol, that is hilarious. I've ran into similar things too.

lol?

@hamidonsolo Good post.

I made close to $10,000 from bug bounties this month. I'm 19. Still in engineering school. Here's what I didn't show you. I found a Critical RCE — Remote Code Execution via path traversal on a company's server. The kind of bug that pays $5,000-$20,000. Duplicate. Someone found it 12 days before me. $0. Same work. Same skill. Same report. Wrong timing. That's one of dozens. For every bounty I post, there are 15+ reports that got: → Duplicated → Marked informative → Ignored for months → Closed as "not applicable" → Lowballed after months of follow-ups But you know what I do when that happens? I wake up. No emotion. No hate. I open Burp Suite. Next target. Next report. Because if I don't, someone else will. Every day I take off is a day someone else dupes me on the next find. So I show up. Even when I don't feel like it. Even when it hurts. Bug bounty is not "find bug, get paid." It's find 50 bugs, fight for 6, get duped on some of your best work, get ghosted on others, and still show up the next morning. The $10K months are real. But behind every mountain is a hundred steps nobody sees. If you're starting out and getting duped and rejected — that IS the path. You're not doing it wrong. You're doing it. Keep going.