Have a question? Ask it here in this thread!


i have question about sub domains. Suppose if we find sub domains of site x(example.com) with knock py and we get sub domain as example.herukodns.com than how we can say that sub domain belongs to site x


Hello all,
I am new to bug bounty hunting and just started reading and practicing it.I came across a site with response code 500.Is this page vulnerable, is a DoS attack possible for the following case?



I’m new to Bug Bounty.What’s responsible disclosure form and what regulations i should follow before to start working with penetration testing tools against applications?


Hello folks!

I have found a vulnerability in a .gov website with a harmless POC included. However, from what I can tell, the state lacks any sort of public disclosure program and appears fairly hostile towards researchers. In the private sector, the same vulnerability falls into the P2 category. It would not likely be considered a P2 on the state .gov website, so I’m not sure if it warrants disclosure if prosecution is on the table. (I haven’t broken the law but I have the feeling the state has a fairly poor understanding of “hacking.”)

Someone pointed me towards this: https://vulcoord.cert.org/VulReport/gov. My first thought would be to submit a report anonymously, but my POC included the email assosciated with H1 and Bugcrowd. I can remove it and then report it, but if the state seeks prosecution, they’ll be able to find it again.

Thoughts? Suggestions?


Disclaimer: Noob here

Found an interesting vulnerability in ASP.NET application that allows arbitrary file upload (that could lead to RCE). But in order to achieve RCE the attacker needs to know the exact path to web root and that’s where I am currently stuck. So just wanted to know if there’s any way I can find web root? the vulnerability itself is quite serious but want to demonstrate the maximum possible impact. Need expert advice on this.

EDIT: I can only provide OS paths like C:\Windows or C:\ProgramData etc. but I don’t know www.example.com/webroot corresponds to which directory on the system



In my question, some of the characters are filtered, so I have copied into the image file. Thanks in advance.


I am just starting out with Bug Bounties and I have run into my first roadblock concerning scoping. In the rules of engagement for Twilio it states that: All Third party hosted services, such as support.twilio.com are explicitly out of scope. But the scope includes *.twilio.com

The last statement is confusing me. How does one determine if you are looking at a third-party service vs. non-third party service.

Reference this page for further information: https://bugcrowd.com/twilio

Thanks in advance for the help or pointing me to something to learn.


If a site is vulnerable to a XSS attack vector when injected in HEX encoding, then what is the remediation step?
I’m a newbie. Thanks in advance .


Hello everybody!
I would like to know how to develop myself to find vulnerabilities in applications on Windows.
What books to read, courses to watch?
What sites can be trained? maybe there is some kind of analog topcoder, only to find bugs in applications on windows, for training.
How important is the reverse engineering in this matter. And how to better study it (books, training, etc).
what better tools to use, what approaches exist?
successful stories of finding bugs.
Or something else that I forgot to mention.
Thank you


I have good amount of knowledge of hunting bugs from reading alot of books,blogs practicing my skills on Vulnerable labs and watching videos. I was learning bug hunting on my own like most of the hackers do from past few months so few days back i thought i should try to find bugs on bugcrowd and i was successfully found 2,3 bugs that got duplicate but thats not the problem. the problem i am facing is that i couldn’t found a way of proper Recon. i searched alot on internet watched jhadix all 4 videos on recon but still im failing in recon.

i just want to ask for a proper recon techniques with proper tools if anyone can guide me to a blog or video i would love to watch/read it.

Sorry for my bad English waiting for a positive response.


I have read this topic, it was very useful for me recon


i was about to ask babayaga on facebook for his recon techniques but you gave me his write-up thank you .


Hello BugCrowd, please excuse a noob question

I’m a developer with an interest in mobile apps security.
I’ve found two vulnerabilities in a bank related android application that I use. (in fact 500k people use)

After working 1 day for a POC script to exploit it I contacted them.

Everything was very nice, they said they pay some bounty but cannot say more until I disclose.

So I summited them the report, they got it, acknowledged the vulnerabilities and said they’ll contact me “later”.

But couple of days passed and no one contacted me. They are a small startup with ~20 employees.

I didn’t signed any NDA, I have screenshots of all the conversations

My question is: what to do now?

Should I give them 30 days to fix it and then publish it on my blog?

At lest they should do some credits, because if they fix it tomorrow it will be unprofessional from their part.

Thanks you