Mastodawn

In bug bounty hunting-related communities - Discord, Reddit etc - I keep seeing people suggesting to look for bugs, or even look for/focus on a specific class of bugs.

IMO that can lead to waste of time and lost opportunities depending on the type of target. I'd say, instead: stop looking for bugs. Start looking for *features* nobody documented, or features that were just added or changed very recently and invest time in understanding them well and looking for ways to abuse them.

1/2

Show thread

Vito Botta

New functionality may be overlooked by some hunters, and undocumented API endpoints or features - that's where the gold is in my opinion and the reason why it's beneficial to monitor the target company's changelogs or release notes. Even if a new feature *is* documented, it may still hide some aspects of it that are not and are worth investigating.

2/2