Have a question? Ask it here in this thread!


Is C and python good to start learning to find bugs making your own tools?

Python is one of the popular languages for writing scripts and tooling. Other ones that come to mind are Bash and Golang.

That being said, be wary of time sinks and rabbit holes, as sw33tLie mentioned in his recent interview:

“Quick dirty scripts can sometimes work just as well as well-written software. And often, that means saving a lot of time, which is a scarce resource. This has been difficult to accept but it’s one of these things that separates software engineering from bug bounty hunting: breaking stuff doesn’t have to be elegant!”

Hello everyone, I’ve created an account on bugcrowd and submitted a few reports. While going through my reports I realized that I’ve made a mistake while recording a PoC. Is it possible to edit the report?

Best to just add a comment and re-upload as required!

Good evening, is there perhaps a Legal Guide to BugBounty, I would certainly love such a resource so I know when I am within the boundaries.(eg. is it legal to port scan a target or may we only test for known web ports, If the programme says no scanners to be used, is content fuzzing still in allowed etc.)
If there isn’t one, I volunteer to write one up, in collaboration with the team(because I don’t know a lot so I will write if someone will check it. Or I can set up a questionnaire and ask the team to guide us), and then we can share it for everyone.(I am also going to ask on other platforms and then we can share it with all bugbounty hunters).

Are you familiar with Safe Harbor and Disclose.io?

Sorry if this question has already been answered elsewhere.

Given the risks involved in conducting security testing, I’m wondering how often bug bounty researchers end up in legal trouble.

Do bug bounty researchers generally form an LLC to shield their personal assets from liability? Or do most researchers just maintain a sole proprietorship?


In-scope assets defined by organisations provide permission to be tested on. As a researcher you’re also usually protected by safe harbor (https://www.bugcrowd.com/blog/protecting-hackers-by-default-with-disclose-io/) which you can see the status of on the program page.

1 Like

I’m new to bug bounty and this is my first post on this forum so I’m looking to expand my knowledge not to receive a bounty.

I’m having difficulties to prove impact so my reports are mostly triaged as informative although I’m convinced they could have impact.

For examples I found the following:

  1. Importing a XLSX with XXE payload generates an error picked up by a slackbot with URL unfurling visiting my OAST url
  2. I’m able to upload a PDF with javascript in it and embedded files but all data changing actions are performed by POST request and session & CSRF token cookies are Samesite=Lax
  3. I’m able to enumerate the existing accounts

All these were triaged as informative. Is this reasonable?

Any advice on how to get a better view on the possible impact of these is more than appreciated.

Many thanks in advance.

Best regards,


I’m a complete beginner in bug bounties. I do some exercises in intentionally vulnerable applications and spend some time looking into bug bounty programs daily.

The web application that I’m looking into saves user posted images into a database after hashing the user provided filename with md5. I noticed that if you put some special characters in the filename like “/” the file is always saved with the same hash value. I was originally looking into if the hashing could be bypassed and store the original filename instead but apparently it is not possible.

So what I was wondering is could there be some exploit here since I thought maybe the application doesn’t properly validate user input. And is there a risk of causing unintentional damage to the system when doing this kind of testing? Also are the program runners interested in this kind of issues even if they don’t appear to cause security issues?


Hi , I found a subdomain which I think is vulnerable to subdomain takeover but it doesn’t have any cname records can someone point me in the right direction

Then you can’t take over the subdomain, since it has no canonical name. Unless you can take over the domain itself I guess