Pinned
Alex Chapman
3,283 posts
Alex Chapman
@ajxchapman
- I wrote a blog post on my experiences during my first 12 months of full-time #BugBounty hunting. Check it out 👇 ajxchapman.github.io/bugbounty/2020…
- Did you know you can create a tar file which can also be executed as a shell script? I didn't! Why is this useful? I've absolutely no idea... but if you find a use let me know #BugHunting #BugBountyTips
- Atlassian agreed to publicly disclose my report which resulted in CVE-2020-28914 against @katacontainers, and netted my second largest bounty ever! Thanks to @Atlassian and @Bugcrowd 😎 #BugBounty bugcrowd.com/disclosures/7b…
- In April, I didn't submit any vulnerabilities. I did however have a beautiful healthy baby girl join my family 👶 Hello World Maddie Chapman ❤️
- I was asked recently how long it took to find a particular Critical bug, and I struggled to answer. Was it the hours of trying to confirm the bug? The hours suspecting the bug was there? The hours learning the target? The weeks learning the technology? The years learning to hack?
- Bug Bounty hunters, especially those doing this full time, you *have* to spread your risk. Submit bugs to multiple programs on multiple platforms to help reduce the impact of delayed and poor payments. Bug hunting should be run like any other small business #BugBountyTips
- Spamming Bug Bounty programs with 1-day exploits (see CVE-2020-5902) is the Ambulance Chasing of bug hunting. Any sensible program will have a condition to allow them time to patch before paying out for these issues. #BugBounty #UnpopularOpinion
- Be careful who you look up to in the #BugBounty space. There are some genuinely good people, but there are a lot more cheats and charlatans, faking knowledge and success for internet fame.
- Bug hunters, make notes on the techniques you learn and publish them on a personal blog. I just came across one of my old blog posts when Googling how to perform a specific attack, completely forgetting that I'd done it before (yes, I'm getting old) #BugBountyTips
- I recently found a decade old Server-Side Browser on a #BugBounty program. Exploiting it was a bit of a ride. I wrote up the experience so others may learn from my (many) mistakes!
- #BugBounty confession time. I am a *bad* web app tester and have little interest in recon 😐 I am a mediocre reverse engineer and ok(ish) at source code review. What I do have is a lot of curiosity, determination and good instinct for when something doesn't "feel" right.
