p4

If you learn how to "go deep" in bug bounties before learning how to "go wide", you will have the ability to go deep into every asset you find when going wide. It just makes sense #bugbounty

thanks bro, to get impact i start by understanding the companies business model and features which allows me to build a mental threat model and potential test cases for each feature. ideas should come naturally at this point. now, try to understand their implementation of flows.

i woke up from a nap and i couldn't find the energy to hunt at that time. i eventually had a thought and then executed said thought. now i don't wanna stop hunting 😆😂

@thedawgyg aye cheers im about to take a few as well 😂😂

Time to take avfew dabs and play a couple games of chess. Let's see how this goes lol

as a bug bounty hunter, once you sink your teeth into one or a few of the "right" programs, they will truly become yours in due time. you can take as long of a break as you need and there is always more to report when you're back 🤠🐍. find what works for you an make it work. 🫡

@sin99xx 😂😂😂

@peeefour i told you this guy is is gatekeeping doordash 🫣

first day back and i pwned them twice 🤠🤑

i lied...

yeah... not for another day... bye...

@efaav @discord_support nah bro i kept replying to my same ticket that the bot said "nah nothing we can do loser". i got like 10 or so of the same message from the nutty automation. until finally a real person saw my ticket and accepted it bc it was truly false ban

@peeefour @discord_support You just kept appealing under that same appeal category or did you try a different support category?

Its been 4 months and I still haven't been able to be unbanned, if anyone could help or knows anyone who could help please DM me 🙏 @discord_support

@efaav @discord_support nah bro you gotta keep pushing. i got false banned before for some similar weird shit and i thought it was over. but i was like fuck that. i just kept pushing my concern in the discord ticket. i kept getting a bot telling me the same thing. until finally i got unbanned

@discord_support I've tried appealing but now I only get responses saying I have to appeal via the appeal button in the Discord app but they already automatically denied that.

@IceSolst ahh okay. i was also thinking in a similar way thats why i was soooo confused and still am 😂. overall a very weird situation

@peeefour Yeah don’t think it’s really norm? If something gets reported by an external researcher I have even more of a reason to fix it, for public optics, but also cause I don’t want to keep receiving the same reports in the future

This is why i left pentesting, and became a seceng: report vulns, none get fixed, how can we change that? I learned there are many reasons why it’s impossible to fix everything: - you have one trillion vulns, but resources to fix 3 per week - the number of vulns increases faster than you can fix - how do you pick which ones to prioritize - ideally you want to apply remediation that are permanent and fix an entire class of vuln, rather than just patch a single one - to apply those larger architectural mitigations, you need to spend a ton of time NOT fixing other vulns - for each vuln you decide to pick, you spend an immense amount of political capital (v limited internal resource, like mana) and negotiate with dev teams or SRE - leadership throws surprise events for you all the time including “CFO got phished” and “the board wants more charts in their report” which take away from your capacity to fix. This happens daily. - scanners ad garbage and most crit findings post 0 real risk to you. - meanwhile devs install 13 backdoored VSCode extensions on their IDEs and nothing flags that (unless you use @secureannex by @tuckner, obligatory shoutout) - if you do miraculously fix one trillion vulns within a year, leadership says “umm but our KPIs and goals were to Use More AI and Automate the Board Report” - also no matter what you fix, your incidents will be phishing related anyway

yo, why tf am i duping critical vulnerabilities from October 2025 🫨. fix that shit ha!

@_dexblood the same stuff as always, nothings changed right now. don't focus on one bug type, learn how their site actually works, what's sensitive and what's not. what requests look like, common ids/params etc used. Pick a program and start hacking

just groped some more PII. crit loading...

i've put my accounts through so many weird states that my reports now go straight to the target as triage can't reproduce them 🤪🤠

@MiniMjStar @DoorDash it is the single most important key and most valuable skill as a security researcher. hone in on it and never stop doing such

@peeefour @DoorDash true that, i was just thiking of some praticlar bugs to find and just report it, now i rememmber i should threat model based on what's the busniess is and how it works (* i forget this every fucking time)

another report triaged @DoorDash hackerone.com/threatmodel

@MiniMjStar @DoorDash logic is the main driver behind a good threat model. you can't model threats without logical thought processes and critical thinking

@peeefour @DoorDash so getting beyond the limits they put on for me, it actually reminds me of B logic bugs

@MiniMjStar @DoorDash one can master threat modeling with a simple exercise. prying the eyes into the perspectives of others. if i was this company what would i not want a user to be able to do. if i was another user what would i not want an attacker to do?..... now as an attacker what can i gain?

@peeefour @DoorDash how is ur thread modeling work? by working as a normal user then abusing the limits and etc? even the handle is threatmodel man😁

@MiniMjStar @DoorDash my brain that i can't turn off thinks of attacks to try based on what i can do normally. essentially threat modeling like a son of a bitch. this is universal to all targets. i could move targets and adapt with the same thought processes. the bugs would match the new threat model.

@peeefour @DoorDash working on a restaurant or product selling business is a nightmare to me, can't work on it, may i know how generally working on these?