InfiniteSec

If your goal was to make $1M from bug bounties in 2026 you might want to move faster. @infsec_io is already halfway there… and that’s only counting submissions on HackenProof 👀 The pace this year is different.

@d0rsky Yes, we have basically achieved the 1M target, and soon we will also appear on the Filecoin and Ethereum leaderboards.

@HackenProof Thanks @HackenProof! Great working with your team.

$500,000 to @infsec_io — what a legend move, Respect 🫡🔥 Half a million for a single valid find, climbing straight to #4 on the leaderboard! Huge congrats from the entire HackenProof team 🎉

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…

We are proud to see InfiniteSec officially acknowledged in the latest $TON Core Release (v2026.02)! ​Following our security research in Jan 2026, we’ve worked closely with the @ton_blockchain core team to further enhance infrastructure stability and overall ecosystem resilience. High-impact research, real-world results. ​A big shoutout to the core developers for the professional collaboration in making The Open Network more robust for everyone. 🤝 ​Check out the full release log: 🔗 github.com/ton-blockchain… ​CC: @ton_blockchain ​#TON #BlockchainSecurity #InfiniteSec #Web3 #Infrastructure

I completely agree. Although we’ve uncovered many vulnerabilities and earned significant payouts through bug bounties, it’s fair to say that most issues encountered are trivial. Experienced hunters won't report these, but newcomers create a lot of noise—especially now with LLMs in the mix

@philbugcatcher I'd never recommend bounties to beginners. For their own sake, and for the sake of everyone. It's not a playground, but where professionals gather to prevent exploits. I'd suggest doing CTFs, reproducing exploits, and proving findings from reports and writeups. Git gud first.

Pretty sad that audit contests are over The best path for beginners now is bug bounty, which is a tougher entry point than contests On the bright side, the next cohorts of SRs will likely come out even stronger

And the last update to the codebase was 4 years ago, I should have realized it.

After submitting a high-risk vulnerability to the @immunefi bug bounty program, you discovered that the project's TVL is currently less than $400,000. 🙀🙀🙀

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…

@HackenProof Isn't it duplication?

We discovered a critical vulnerability in Flare that could halt the chain, but it has been duplicated. It's truly disheartening to hear such news. We will release a writeup after the vulnerability is fixed.

This is our first high on Immunefi, and there will be more soon! I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…

A friendly heads-up before you dive in: Ethereum's client diversity significantly devalues vulnerability severity ratings. Look at the severity criteria — Critical requires impacts like slashing >50% of validators or causing the entire network to halt. But no single client holds >50% market share right now. Geth is at ~41%, Lighthouse at ~42%. So even if you find a devastating RCE or consensus bug in the most popular client, the impact is inherently capped by that client's market share percentage. In practice, this means virtually no single-client vulnerability can be rated as Critical. A catastrophic bug in Geth, for example, would only affect ~41% of the network — that lands you at High severity at best (the threshold is >33%). For smaller clients like Reth (2%) or Nimbus (6%), even a total crash-the-node bug barely qualifies as Low.

@WhiteHatMage @thedaofund I'm going to be auditing Ethereum soon, I thought the exact same thing, I think it should be at least 50 million ngl.

Hey @thedaofund, use the funds to actually secure Ethereum. The $250k max cap for the Bug Bounty Program is too low by any standards.

@WhiteHatMage We'd suggest that even if bug hunters don't have time for thorough market research, at least check the project's TVL on defillama. Treasury funds are also a great reference point — they often determine how much a project can actually invest in security.

@infsec_io I should read my own post again. I keep falling for bad projects lol

The hardest part of bounty hunting isn’t finding the vulnerability. It’s actually getting paid what it’s worth. Behind every happy payout there are dozens of horror stories.

@WhiteHatMage We've run into plenty of failed bug bounty payouts ourselves. We plan to share those stories in the future, but for now we're more focused on the hunt. Really appreciate you sharing this.

We discovered a consistency-related vulnerability in the transaction processing pipeline of a major public blockchain’s transaction bundling / block-building infrastructure. Unfortunately, this issue ultimately turned out to be a duplicate, but that’s one of the most common outcomes bug hunters run into—so we keep moving forward.

Read through a @Ehsan1579 zkSync security report and spotted a new critical vulnerability. Unfortunately it turned out to be a dup. It happens. Onwards.

I just found a bug and got paid on @immunefi #immunefitribe immunefi.com/s/ss/?severity…