My both XSSes were rewarded $2,000 each! Thus, the final result of this challenge is $7,200. Watch the second part here: th-cam.com/video/hnW5hxF4Nd4/w-d-xo.html
Thanks for posting this. As someone who tries to find bugs but gets nowhere, this provides a lot of the insight and perspective I've been looking for, for a while. Hope you make a lot more of these :))
This was a great challenge! What a cool bug you found just a few hours in with the archived prices. I think its also important to keep in mind that this understanding is compounding, and if you would do 100 more hours on Stripe, you would already have a base knowledge to start out from.
@@AkashSharma-ml2lz P stands for priority. P1 is Priority 1 P5 is Priority 5 P1 vulnerability will be a serious security issue. P5 would be a low serious issue as compared to P1,P2,P3, and P4. But it's still a security vulnerability.
Iam 16. Working for my first bounty. I worked very hard. Last week my first report got triaged for cache posining Xss . By after 4 days they said that the vulnerability is with 3 rd party code they are using, and not payed any Bounty. Iam almost demotivated now.
Great one! That's why I always think hunting on a target that you use daily is very important. You have to understand all the features before look for bugs in it. Just one question, is the open source assets you mentioned related to your target or it is just a open source tool that is used by your target?
With your bug hunting experience accumulated, you will easily get a high paid web security job later on if you decided to do so. Well done and hope to see more video from you.
Yeah I try to balance spending time on bug bounty or creating content to avoid burining out in any area - when I'm tired with bounty I do more content (or handle stuff behind the scenes) and when I don't feel like doing this, I can do more hacking.
@@BugBountyReportsExplained Thanks man, no idea yet, probably something open source. Hacking a regular web app for 100 hours would probably become very boring
Me: struggling to find bugs in private programs, barely reporting anything above P4 :/ Greg: 100 hours later, 7th in public bug bounty program with dozens of other active hackers
@@BugBountyReportsExplained Yeah, the problem is you never know. If there is one thing missing on HackerOne programs' stats - it's the number of participating hackers. I know it would be hard to actually tell the exact number, but some estimation based on submitted reports (in case of public programs) or accepted invitations (private ones) would be really helpful.
Hey dude, great video! Also, I really wanted to go through your notes, but I can't access the link in the description, can you please fix it or just link the notion here? Thank you so much Peace out
love your videos, can you tell whether it is possible to earn around $6000 - $10000 a year if a bug hunter has over a year of experience ??, your reply would be highly appreciated :)
Welcome to the comment section! As mentioned, there will be a second part where I will respond to your questions. So if there's anything that you'd like me to talk about - leave a comment with your question.
Hello, I am observing bug bounty since one year, But I am unable to do it. From where should I start and I don't know anything about programming languages, Linux also, I didn't try pentestering, I don't know python language. Can you please tell me. Thanks
@@BugBountyReportsExplained I have seen that websec academy in burp suite, I don't know from where should I start. Can you please tell me more about this. Thanks
It's a risk of a bug. P1 is the most risky (critical in Hackerone's classification), P2 (high), P3 (medium), P4 (low), P5 (Informational) - the least risky.
My both XSSes were rewarded $2,000 each! Thus, the final result of this challenge is $7,200. Watch the second part here: th-cam.com/video/hnW5hxF4Nd4/w-d-xo.html
Thanks for posting this. As someone who tries to find bugs but gets nowhere, this provides a lot of the insight and perspective I've been looking for, for a while. Hope you make a lot more of these :))
I'm glad it helped! I'll be doing these regularly!
This was a great challenge! What a cool bug you found just a few hours in with the archived prices. I think its also important to keep in mind that this understanding is compounding, and if you would do 100 more hours on Stripe, you would already have a base knowledge to start out from.
Thanks - it was almost your idea ;)
Surely in Nth bounty vlog I will come back to Stripe
I'm new to bug bounty,.Can u please tell me what does mean by P1 level,P2,P3 P4level vulnerability ??
@@AkashSharma-ml2lz P stands for priority.
P1 is Priority 1
P5 is Priority 5
P1 vulnerability will be a serious security issue.
P5 would be a low serious issue as compared to P1,P2,P3, and P4. But it's still a security vulnerability.
@@SUMMedia thankyou so much bro😍🤗
Great video i love this concept and showing the actual process! I think you should do more stuff like this!
Thank you! That's the plan!
nice one mate , waiting for vlog #2
Working on it!
Iam 16. Working for my first bounty. I worked very hard. Last week my first report got triaged for cache posining Xss . By after 4 days they said that the vulnerability is with 3 rd party code they are using, and not payed any Bounty. Iam almost demotivated now.
That's a solid finding though! Don't let the payout be the only measure of success
make a write-up on the finding bug on medium and earn for lifetime 👍
wow this is so awesome man such a great video idea. shows to newcomers if u put in the work to understand the application u can find bugs
Glad it was helpful!
Thank you so much! You are killing it! Nice job!
Thanks for watching!
Great one! That's why I always think hunting on a target that you use daily is very important. You have to understand all the features before look for bugs in it. Just one question, is the open source assets you mentioned related to your target or it is just a open source tool that is used by your target?
It was from Stripe's account on GitHub, not in any dependencies
With your bug hunting experience accumulated, you will easily get a high paid web security job later on if you decided to do so. Well done and hope to see more video from you.
True!
Which app or website you used to track time ?
good video
quality video !!!
It's toggle track
Spending 100 hours on one target constantly could lead to burn out I think. Spreading it over 3 months is a good way to avoid it.
Yeah I try to balance spending time on bug bounty or creating content to avoid burining out in any area - when I'm tired with bounty I do more content (or handle stuff behind the scenes) and when I don't feel like doing this, I can do more hacking.
Sick, congrats! Ill take you up on that challenge
*meant to comment that on the second video
Good luck! What program did you choose?
@@BugBountyReportsExplained Thanks man, no idea yet, probably something open source. Hacking a regular web app for 100 hours would probably become very boring
Well presented & organized.
I'm new to bug bounty,.Can u please tell me what does mean by P1 level,P2,P3 P4level vulnerability ??
Congrats man!
thanks!
Hardwork always paysoff.......🥳🥳 & Thanks for sharing your experience and tips....
Great 🔥🔥
Pretty good review, thx.
Glad it was helpful!
I am from India.. Nice vlog.❤️ keep it up
Me: struggling to find bugs in private programs, barely reporting anything above P4 :/
Greg: 100 hours later, 7th in public bug bounty program with dozens of other active hackers
reporting P4's is a strategy for some, report one P4 (usual bounty is 100USD) each day and you will end up with 30k year later
who knows - maybe it's the private ones that are more crowded🤔 my bugs were not very risky, too
@@sebastianchmielewski6281 I'd rather find something more severe ;) Which, I have to admit, is unfortunately quite hard for me recently :/
@@BugBountyReportsExplained Yeah, the problem is you never know. If there is one thing missing on HackerOne programs' stats - it's the number of participating hackers.
I know it would be hard to actually tell the exact number, but some estimation based on submitted reports (in case of public programs) or accepted invitations (private ones) would be really helpful.
Greg has a few years of experience in pentesting. What about you? :)
Greetings from Ukraine. U r rock
Hey dude, great video!
Also, I really wanted to go through your notes, but I can't access the link in the description, can you please fix it or just link the notion here?
Thank you so much
Peace out
I checked now and it works just fine
Amazing as ever
love your videos, can you tell whether it is possible to earn around $6000 - $10000 a year if a bug hunter has over a year of experience ??, your reply would be highly appreciated :)
Of course it's possible
Very honest review
honesty is a keyword of this series
@@BugBountyReportsExplained going to subscribe to bbre premium
Which automation tools you use?
I am glad to know that.
None.
Thanks for the video =)
where did you learn pentesting you talked about
Mostly in the web application hacker's handbook but even 5 years ago it was already partially outdated.
Welcome to the comment section! As mentioned, there will be a second part where I will respond to your questions. So if there's anything that you'd like me to talk about - leave a comment with your question.
Did you get bounty for reporting dmarc ?
No, this is not a bug for which you can get a bounty
Awesome 🔥
Thanks 🔥
I subscribed to the newsletter, but i didn't get the notion template link?
Remember to click the email confirmation link
so do you prefer pentesting or bug hunting?
bug bounty
didn't think huge companies such as stripe could be vulnerable
Everyone is vulnerable. The question is how a company deals with that.
When you were testing stripe did you need to use your own real money? I mean like place a subscription so you can try to hack this flow
There's test mode that's awesome and I could do most things without real payments. At some point I did start testing the real payments but only a few
Which tools I have to download for scanning and account takeover or bypass.
Burp Suite
Hello,
I am observing bug bounty since one year, But I am unable to do it.
From where should I start and I don't know anything about programming languages, Linux also, I didn't try pentestering, I don't know python language.
Can you please tell me.
Thanks
I think I will record another episode about resources but I'd start with WebSec Academy
@@BugBountyReportsExplained I have seen that websec academy in burp suite,
I don't know from where should I start. Can you please tell me more about this.
Thanks
@@BugBountyReportsExplained
In burp suite solution-
1. Application security testing
2. Devsecops
3. Pentration testing
4. Automated scanning
5. Bug bounty hunting
It's showing this
I'm new to bug bounty,.Can u please tell me what does mean by P1 level,P2,P3 P4level vulnerability ??
It's a risk of a bug. P1 is the most risky (critical in Hackerone's classification), P2 (high), P3 (medium), P4 (low), P5 (Informational) - the least risky.
@@BugBountyReportsExplained thankyou so much bro,.😍
Is PHP useful in bug bounty?
Yes. The most important thing is to understand how webapps are built in general.
i never ever seen vedio like this on our channel amazing and hardwork please the time i need ur note i want to get i cant get it now ❤
Thanks!
Visit: mailing.bugbountyexplained.com/stripe and use your email
@@BugBountyReportsExplained hey is it a paid version
@@abdiwahabahmedomar2399 no, notes are free
@@BugBountyReportsExplained make me free if u can
haha where I'm from the 3000$ could easily furnish my lifestyle for a year.
Then doing things like bounty where you earn in dollars should be economically perfect for you
3,100 / 100. Worth it?
It's great for beginning but if that would stay at this level in the long run then I would have to think about alternatives