Well I’ve found and submitted another vuln to Hackerone. As with every submission, I now sit on pins and needles waiting to see if I’ll get my first paid bounty. I’ve found bugs in the past, but they’ve either all been duplicates or determined not to be a bug. Each time I read “there do not appear to be any security implications” my heart sinks and takes a day or two to get back into the mindframe to bug hunt.

But until I get an email reply, it’s AnxiousTown, population 1. That moment when you realize you’ve found a security issue is pretty awesome. I often have to convince myself that what I’ve found is really a bug. I’m pretty good at shooting holes in my own submissions (probably cost me a bug or two in the past). Once I’ve won the inner argument with myself and I’m confident I’ve found a bug, it’s time to write it up. I really try to give good details on the problems and describe everything accurately. But man, the whole time my brain is going 100 miles an hour trying to get it done. For some reason I think that in the time between me finding the bug and submitting the report will be the few moments when someone else beats me to the punch.

So for now, it’s sit and wait. A more experienced hunter probably continues the hunt. Not this guy, I wait, nervously. Stay tuned.

July 6, 2023 Update: Nope. Out of scope.