Kanhaiya Sharma

Idk whether AI have power to kill bug bounty, but these kinds of scenarios are definitely killing bug hunting 💯

another program, another P1 with video poc marked N/A 👏 ofcourse, if you check the bug late, it’ll already be patched .

I dropped 5x RCEs in a single report, it got triaged, then after 16 days the customer patched everything and rewarded it as P3? So a potential $10k–15k critical report suddenly became a $500 payout in one comment - this severity decision genuinely makes no sense . These kinds of decisions genuinely discourage researchers from hunting on platforms/programs. Spending days finding impactful vulnerabilities, writing detailed reports, and helping secure production systems only to see the severity heavily downgraded afterward is extremely demotivating. In this case, the issues were valid, triaged, and even patched by the customer, which clearly proves the impact was real. Yet the final outcome made it feel like all the effort put into the research had little value. Researchers invest huge amounts of time and energy into finding critical vulnerabilities responsibly, and inconsistent severity decisions like this make people lose trust in the process. Honestly, one comment was enough to completely kill the motivation and energy I had for #bugbounty

@alxbrsn @Bugcrowd a valid concern ✅

hey @Bugcrowd can we please make this checkbox do something thanks

@Rockpratapsingh unique endpoint = unique xss

Hit 28 XSS today, will report them tomorrow 😅 Currently attending the Jhaddix class

@tecchirp i did multiple bac stuff in one report

@krishnsec ATO ?

Just dropped a P1 and it took me 4 hrs to write a single report Honestly I’m done for today.

@ReebootToInit5 honestly bro idk but lets see 😑

@krishnsec What will happen when it is marked dupe💀💀👀

April fool ?

@i7z00_ Its useless i cancelled my gpt subscription

i treid to verify my identity for chatgpt cyber access, while the verification process is completed i keep getting this page after completion any idea why is that the cas?

suggest top paying bb programs on bgcrd & h1

@OreoB1scuit demo testing :) plus experience was not good enough, only 1 program pays ok bounty

lmao i saw krishnsec on indian bug bounty platform

I found a way

@ReebootToInit5 😂😂

Program finally marking my 2 years old reports to resolved Meanwhile me Waiting to report the bypass from last 1.11 years 💀💀🤣

@_smile_hacker_ @yeswehack invest time in good programs/platforms who care about researchers

I reported two ATOs, both critical, and one SSRF, but they marked all of them as OOS. One of the programs asked me to report it to their VDP. Sadly, they set bounty ranges up to €20,000 and wanted me to report that bug through the VDP. I totally stopped hunting on @yeswehack .

AI is creating more attack surface instead of reducing it , just check the VRT & search for LLM issues. everyone keeps predicting the future, but the reality is that non technical people r now pushing code, security teams are struggling to keep up with rapid reports , and new easy 0days are coming. Meanwhile, AI keeps advancing without slowing down 💯 so instead of overthinking , focus on present day problems & hunt for all bugs 🐞

@krishnsec I’ve been doing bug hunting for the past 4 months and recently found a P1 vulnerability on a public Bugcrowd program. With AI rapidly advancing, I’m uncertain about the future of bug hunting and how it will impact cybersecurity. I want to understand where bug hunting is headed.

break break break