Artwork by https://www.instagram.com/laracallejaillustrations/

Greetings!

In this post I plan to outline some changes I’ve made to bugbountyhunter since launch and future plans for the platform. At the time of writing we are not currently accepting new members (we’re training over 700+ members currently!) however after our next major upgrade we will begin to welcome new members. We’re looking to make it more accessible for not only researchers but also those looking to teach others, using BARKER (without me being the teacher!)

I just want to put some emphasis on the fact that BugBountyHunter.com & BARKER are work in progress and they are currently…


Hi there!

What a year it’s been right?! Let’s not mention the C word… it’s lockdown in 2hours here in the UK. Yay. Although, I do hope you are all well & safe! We will get through this ❤ Carrying on.. I announced at the start of the year that I would be releasing my methodology online and finally, as we approach the end of year, it’s out!

Let me explain what’s been going on and what’s in store for the future!

Figuring it all out

I started designing the new BugBountyNotes platform last year after putting together a small plan however I was…


This is another bug that was right in front of everyone because if you didn’t purposely look for it you’d never realise personal information was being ‘secretly’ leaked.

How does this feature work..?

When testing on [redacted] I noticed this piece of text:

Checking this box allows us to share your address with the list creator to help them manage their thank you list. You can change your preference at any time.

It only mentions that your address will be shared and nothing else. This is where I begin writing notes, such as “Feature [xyz] — Address is shared, reflected on [redacted].com/example. Only visible to…


Sometimes new features designed to generate revenue for a company can be rushed and sometimes not enough thought has gone into how to securely implement this new feature into the main web app. What does that usually mean? Bugs! The bigger the company the more products planned on the road map. The bigger the work load the more mistakes that are made.

How a new feature enabled me to bypass ID verification, very easily..

This is an interesting bug I found on a program which enabled me to bypass certain identification processes thanks to new features. The website in question required users to verify their ID in order to claim ownership of…


Do any of you use Intruder when checking out subdomains? For me personally I use a tool called “XAMPP” which lets me run PHP locally combined with intruder. From here I then create a simple redirect script inside index.php, <?php $url=$_GET[‘url’]; header(“Location: “.$url); ?>. Next I modify my /etc/hosts/ file and add “anydomain.com 127.0.0.1” and now anytime I visit http://anydomain.com/?url=https://www.google.com/ it will redirect to google.com. Perfect.

So where does intruder come into this.. or more, why? Well the beauty of Burp Suite is you can easily see the Response and that’s exactly what i’m interested in. I love to see…


This post is going to outline how I simply applied my methodology and managed to find multiple vulnerabilities leaking airline passenger information on a YesWeHack bug bounty program. My experience on YesWeHack has been extremely good as the companies engage & communicate with you on reports to understand the issue in a very timely manner. I feel like the companies I dealt with on YesWeHack treat me with full respect and honestly I recommend you checkout their platform, I just wish there was more programs! :D

For these findings I spent approx ~15hours max over 3 days to find these…


Hi there!

I sadly bring you some sad news and that is after a lot of thought I have decided to shutdown BugBountyNotes. The good news is I plan on recreating something & the majority of content on BBN will still be available on my new platform but one important change will be the fact I am opening up more of my time to focus on training companies and introducing them to the world of hackers.

Yes that’s right, I am now going to be working more closely with companies to teach them how working with hackers is beneficial. Not…


I’ve secured a venue, i’ve created the content and now i’m waiting to bring hackers together for the first ever “So you wanna bughunt” training event hosted by me, zseano, located in Cambridge (United Kingdom). I started mentoring via YouTube only a few months ago but i’ve been training people on a 1 to 1 basis for years, just as a friend, not an official ‘teacher’. Now I want to take my mentoring to the next level and bring hackers together in the same room, as you would like a live hacking event, except instead of earning we’re learning.

If…


Firstly thank you to everyone who participated in my very first live hands on mentoring. I was a bit unsure how it would go and if people would understand the goal, but overall the day was a success and I plan on hosting the next live mentoring session on 21st July 2019 at 2pm BST, so mark your calendars and hopefully see you there? :)

A huge thank you to those who donated during my mentoring session. I would like to invite all 4 of you to a private mentoring session one week before on 14th July 2019.


Despite the fact i’ve complained that bugbounties have some problems, no other job out there enables you to sit in the comfort of your own home legally hacking websites in turn for money, and sometimes big money. Money is a massive factor in why people do bugbounties and it’s why many started them in the first place, however sadly a lot of people will end up spending hours finding nothing.

So, in this post I intend to give you some personal tips & advice on how to be successful in bugbounties and turn your time into bugs.

Firstly, be warned

Sean (zseano)

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store