Severity: High (7.5) Weakness: Sensitive Information Disclosure Bounty: Duplicate (First researcher receives $7,500) Hey hunters, I’m back! Just wanna share my recent finding in HackerOne’s own bug bounty program. This finding is pretty much straight forward :) After submitting a report on HackerOne, I’ve added my brother hackerone.com/r3y to the…

Severity: Medium (5.0) — High (7.1) Weakness: Improper Authorization Bounty: $10,000 Summary: First, the initial submission got a bounty of $2,500. But while HackerOne was doing their Root Cause Analysis (RCA) of my report submission, they have stumbled upon another vulnerability with High severity. Since my submission gives them a…

Severity: Medium (6.1) Weakness: Business Logic Errors (CWE-840) Summary: I have found a way that it is possible to harvest all private HackerOne invitation using the Leave Program feature together with the Security@ email forwarding feature without any user interaction. HackerOne Security@ Email Forwarding Feature First, when the program activated…

Hello Internet, this blog is about my findings on hackerone own bug bounty program late 2016, a simple information disclosure which hackerone team decided to reward the highest bounty amount in a single hit/submission so far on their own bug bounty program due it’s business impact. Severity: High (7.5) Weakness: Information…

Severity: Low Weakness: Insecure Direct Object Reference Hello everyone, welcome to my first blog, I’m going to share my recent finding on HackerOne’s own bug bounty program. NOTE: There are two precondition to successfully exploit the bug. Attacker must be a team member that can review a hacker (hacker program…