4 Crits in 48 hours: Unicorn Programs

I've decided to remove this article for the time being to write a more detailed writeup in collaboration with the program itself, so stay tuned.…

Oauth client secret leak and possible IDOR leading to PII Disclosure

Given that this vulnerability is still in triage, I will give a vague overview of the bug chain. Whilst working on my automation, I was investigating various interesting subdomains that it had found. One given subdomain was owned by a SaaS bug bounty program. I was reading the HTML source…

January 2021 - My first bounty

The first bounty is a milestone that many hope to hit. It marks the starting line for a lot of bug bounty hunters today. Mine was interesting. For privacy's sake, I won't disclose the company. My first bug was an IDOR. IDOR stands for Insecure Direct Object Reference - that…