Open in app

Sign up

Sign in

Write

Sign up

Sign in

I Reported 30 Vulnerabilities in 1 Day

Karan Arora
3 min readJun 18, 2021

Yeah hi, as of now I'm free. So I thought of sharing my experience when I reported 30 bugs to different programs in one day.

This writeup is divided into the following sections :

  1. Back Story
  2. Results
  3. Learnings

Bug Bounty Platforms: Bugcrowd, Hackerone, Intigriti, Public Responsible Disclosures

Back Story :

Just so you know, I have a bug reporting ideology in which I usually submit bugs with medium or high impact and that’s why sometimes it can take a lot of time to find a single valid bug.

So on that particular day, I was frustrated due to my week’s performance as I was not able to find a substantial bug to report, so I decided to change my approach and test different things out. And thought let's do an experiment.

In that experiment, I was going to report all the low hanging bugs. And at that time my main focus was on quantity and not on quality ( well in the long run it's a wrong practice ). I just wanted to know like will this change in my methodology, provides results that will be sustainable.

At the end of this write-up, I have given my perspective on this particular experiment.

Here are the results :

Bugcrowd Total Submissions: 19 ⬇

Accepted Reports: 7/19

Duplicates Reports: 7/19

Rejected Reports: 5/19

Hackerone Total Submissions: 6⬇

Triaged / Accepted Report: 1/6

Duplicate Reports: 2/6

Informative Reports: 3/6

Public Responsible Disclosure Programs Total Submissions: 4⬇

Accepted Reports: 3/4

Duplicate Reports: 1 /4

Intigriti Total Submission: 1 ⬇

Duplicate: 1/1

Bug categories that I reported:

Open Redirects, Bypassing Rate Limits, Some were low impact XSS, Weak login functions, Content Spoofing, Clickjacking etc.

What do we learn from this?

See the methodology I used while reporting these bugs is not sustainable in long run.

The point is like as I submitted 30 bugs on that day, if I have followed the same methodology for the upcoming days I would have easily burned out. Because my expectations would have eventually increased due to the increased number of submissions, but the truth is you don't always get the gold rush and there will be days when you get most of the submissions marked as duplicate.

As generally, the probability of getting duplicates while submitting low hanging bugs is really high.

And that's why I won't recommend using this methodology in the long run.

Note : But if you can somehow automate this whole process ( I'm also working on this, will update soon ) then it can be a good way of earning some passive income.

Keep hunting !!

Support me here ⬇

Karan Arora is creating high quality content related to bug bounties on medium.

Hey 👋 I am a curious security researcher and content creator who likes to create high-quality content for security…

www.buymeacoffee.com

https://www.paypal.com/paypalme/karanxarora

Twitter ⬇

https://twitter.com/Itskaranxa

IF YOU FELT THIS WAS WORTH YOUR TIME THEN

SUBSCRIBE FOR MORE. STAY CURIOUS !

Bug Bounty
Hackerone
Bugcrowd
Infosec
Information Security

--

--

Karan Arora
Follow

Written by Karan Arora

402 Followers

my twitter looks juicy... @itskaranxa

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams