💰 Just 10 public bug bounty reports paid researchers $26,075,042 - all in Web3/DeFi. These are some of the biggest public bounty payouts ever. We're collecting them - and hundreds more - at VulnIndex, now live: 1/6.#BugBounty #DeFi #AppSec #hacking

Oh wow, I just found out that @TechCrunch reported on a vulnerability 2 days after I discovered and reported. Despite that @OpenAI rejected me a bounty 🫠 #bugbounty.

On a side note - I am curious how long will it take to take this site down.

Explore the alpha → (Mobile not yet supported).If you find it useful, like / repost / share so others in #AppSec and #BugBounty can too. #SecurityResearch #hacking #DeFi #infosec 6/6.

Why dive in now?.• See how real-world failures happen.• Shortcut your research with known TTPs.• Focus testing on high-impact, stack-relevant bugs.• Learn from $ MM writeups 5/6.

📈 Coming soon to VulnIndex:.• Thousands more reports.• New disclosure feeds.• Payout trend stats.• Top CWEs.• Full-text search.• API for tools/research → 4/6.

✅ Filter by:. • Technology.• Language.• CWE.• Repro steps.• Vulnerable code.• Severity.• Award size.• Date . and more. Jump straight to original posts or submit your own writeups in 1 click. 3/6.

VulnIndex (alpha) is a growing catalog of public bug bounty reports, security writeups, and research blogs. We're curating what matters to researchers and defenders. Here’s what you can do 👇 2/6.

Who is Sadiq West and did they really get $500,000 bounty? Seems like a lie but if someone can confirm that - would love to hear. Link -> #bugbounty.

Just got to a 2nd place on the current Q3 at @yeswehack without submitting a single bug for more than 2 months :). Interesting situation

Parsed 12k+ bug-bounty write-ups & blogs (and counting 24/7) and mapped each to CWE + language. Quick hits:.• ~60% of RCEs happen in PHP/JS.• >50% of GraphQL bugs are plain access-control issues. Free site coming soon - reply "access" for an early invite! #bugbounty #hacking

P.S. I have nothing against such practice but it's fun from time to time.

Sometimes I feel like interviewing at @Google is hell and the whole process is organized to just gatekeep unless you know people:.* constant reschedules.* interviewer no shows🫠.* interviewed by a Software Engineer on Security topics (no deep dives). wish myself luck😁. #hiring.

If you ever want to get a similar database for free just follow and wait a few weeks as we are working on a product that will ship similar results for anyone to use and dig deeper into technologies they want #hacking #bugbounty.

A single parameter in the OpenAI and Anthropic SDKs can let an attacker overwrite your AI agent's system prompt, hijack every response, and - in some cases - even open a reverse shell from your server. Check out: . #bugbounty #hacking #0day #aisecurity.

If you shared a ChatGPT chat link between April 16-18, your name may have been exposed - and it could still be publicly visible. Details on the privacy vulnerability in @OpenAI : #hacking #bugbounty #openai #chatgpt #airedteam #0day.

Am I just lucky? 2nd triage on @Bugcrowd and 2nd shit show in a row. The triager just makes 2 contradictory statements at the same time and there is no option to request a response from a customer???. #bugbounty #hacking #bugcrowd

I personally don’t care about the bounty at this point. The right thing to do is fix the vulnerability and/or disclose it so customers can address it themselves. 3/3. P.S. I can acknowledge now that my message might have been misunderstood - but it’s still a strange reaction.

Imagine being warned that disclosing information found in a public component published by a company is "illegal" - while keeping that information secret puts a percentage of their customers at risk of losing user data, money, or revenue. 2/3.

I've never seen this happen on other platforms - only on @Bugcrowd today. Instead of engaging in a dialogue to fix the bug and coordinate disclosure, my message was perceived as a threat??? I guess I am going to be banned soon? 1/3. #bugbounty #hacking #disclosure #0day