Michael Skelton
@codingo_
Followers
30,602
Following
678
Media
379
Statuses
9,033
VP of Operations @bugcrowd , Hacking Content @ tools @ @SecTalks_GC & @BSidesGC co-organiser
Queensland, Australia
Joined September 2013
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#IanxSB19xTerry
• 323435 Tweets
Rio Grande do Sul
• 123680 Tweets
Madonna
• 122345 Tweets
Boeing
• 110851 Tweets
suho
• 96797 Tweets
#MOONLIGHTOutNow
• 71740 Tweets
Özgür Özel
• 67441 Tweets
RPWP CONCEPT PHOTO 2
• 61899 Tweets
Irak
• 60580 Tweets
Nathan
• 52183 Tweets
عدنان البرش
• 34678 Tweets
#無責任でええじゃないかLOVE
• 28117 Tweets
KPLC
• 15237 Tweets
Canna
• 11795 Tweets
Ivar Jenner
• 11185 Tweets
Ernando
• 10819 Tweets
ALGS
• 10743 Tweets
Pinned Tweet
Work in progress, but just made Dorky public - a new tool to quickly do keyword searches over Gitlab and Github for OSINT & bug bounty recon.. Useful when paired with
@trufflesec
12
146
471
I just spent over a month crafting the ultimate guide to Fuff. It is such an incredibly powerful tool, and I bet you're not using all of the features to full advantage! Video: Written guide:
#bugbountytips
34
433
1K
Let's talk recon, and recon fundamentals!
📽️Video:
✍️Written (in partnership with
@securitytrails
):
#bugbountytips
#hacking
11
179
556
I'm giving away $1000 worth of
@PentesterLab
to celebrate passing 10,000 twitter followers 🙌
@PentesterLab
have matched this for a total of $2000 worth of subscriptions to give out. Details 👇👇
386
111
547
If you're a student, or new to Infosec, please DM. I have 30
@PentesterLab
subscriptions I'm giving away. Must be an active twitter account, would appreciate if you pay it forward one day.
79
241
529
Learning to chain bugs is invaluable, and exploring impact is key to success as a pentester, bug bounty hunter, or red teamer. Digging through some of my old submissions in a chat with
@InsiderPhD
to brainstorm a collab, aiming to teach some of this soon!
9
57
498
What's your best
@Burp_Suite
tip or trick and where did you learn it?
Will send vouchers to
@PentesterLab
for some of the best replies!
117
153
486
A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don't yet know about:
#bugbountytips
1
134
414
Bug Bounty advice to avoid:
- you're being told to hunt DMARC/SPF
- you're being told to hunt clickjacking
- you're being told to use nuclei, but not how to build templates
Sources stating these are giving bad advice if money is the goal, learning to hack properly is key.
11
68
389
What are the best new infosec
@github
projects you've stumbled upon lately? Giving away
@pentesterlab
subscriptions for the best answers.
188
85
360
The operating system wars of "you can't hack from Windows" or "you must use Linux" are ridiculous. Born from the 90s where people wanted to feel validated for spending a day or more setting up an environment, but they aren't valid, and you can hack on anything. You do you.
33
47
354
Lots of (most?) hackers don't manage/extend their
@Burp_Suite
configs and BApp's as well as they should be. Let's discuss! 👉
#bugcrowdtipjar
#bugbountytips
#hacking
5
91
319
New blog entry - as a bug bounty beginner, what bug classes should you start with?
#bugbountytips
#hacking
3
88
319
I'm giving away a
@PentesterLab
subscription to whoever can come with the best fake-company name I can build the environment around for videos/streams. Please comment below if you have something! 👇
478
37
319
A lot of people who want to do bug bounties for a living, but should you? Let's discuss!
📽️Video:
✍️Written (most detailed):
18
88
307
Four months, 5000 subscribers, 140000 views. Thank-you so much everyone! 🥰🎉 👉
16
18
282
A year to the day I burnt out worse than I ever have, leading to my wife and I selling our house, and buying an overrun farm to restore to prior glory.
... Best decision we ever made. Happier than ever, huge health improvements mentally, and physically. Strongly recommended.
21
10
274
Learn how I've streamlined my bug bounty reporting in this video, using a recent release from my toolkit, BBR. Video: Tool:
#bugbountytips
5
81
259
Accountability - I want to put out at least 30 videos over 2021. If I fail in this, by 2022, and you are the first to quote this, I'll send you $222USD.
34
10
261
Released on
@NahamSec
's stream today - takes a single wordlist item and tests it one by one over a large collection of hosts before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
2
78
237
Understanding a company's cloud usage involves more than looking for Amazon S3 buckets, CloudEnum is a great tool for expanding on that, let's discuss 👉
#bugbountytips
#bugbounty
6
69
235
Now live: - go beyond the basics with your pentesting and bug bounty hunting by learning how to find the subdomain takeovers that most people miss.
#bugbounty
#bugbountytips
#infosec
4
55
235
In this video, I'm exploring "how to github". It's also October, which means
#hacktoberfest
and free swag if you contribute to projects, so there's no better time to start! Video: Written guide:
1
70
234
Lost my dog of 14 years to heart failure this week :( RIP little buddy.
34
2
229
A quick beginners bug bounty guide on why some people dupe more than others, and how to focus on areas that dupe less, showing impact.
#bugbountytips
#bugbounty
👉
5
45
224
Slack trying to be Whatsapp, Discord rushing off to be Teams. When do we move back to IRC again?
22
17
219
Let's talk about open redirections, and common mistakes beginners make when reporting them to bug bounty programs
#bugbountytips
📽️
2
62
217
Back to it! Let's talk about common mistakes that people make when they're first learning about authorization based vulnerabilities 👉
#bugcrowdtipjar
#bugbountytips
11
52
213
As a beginner, what operating system do you need to hack? Let's discuss 👉
#BugBountyTips
#hacking
12
37
195
Had a few DM's telling me I leaked my
@securitytrails
key on
@NahamSec
stream, which I really appreciate, but it was actually a hardcoded
@PentesterLab
sub (someone just now claimed/figured it out):
12
11
186
Want to get onto new ideas quickly? Here's a quick primer on finding new Tools and Techniques on Github as quickly as they're created:
#bugbountytips
#bugbounty
4
46
184
Bugcrowd's
@Burp_Suite
extension, HUNT, has begun a full re-write in
@kotlin
thanks to an amazing effort by
@OptionalValue
. We'll get this updated in Burp Suite shortly, but for now you can fetch it from
2
47
182
A few people are asking about videos, and why I've stopped.. We've a new baby on the way in six weeks, and so a lot of mindset is focussed there + preparation. I've a bunch shot / not yet edited, however, and I'll post again when time allows.
35
4
184
There's a lot of decisions made around bug bounty scopes, and how they're defined. Let's discuss! 👉
6
52
182
Writing a tool for wordlist permutation tool to replace DNSCewl.. Any ideas for a name? Giving away a
@PentesterLab
subscription for the best idea
137
13
177
The
@PentesterLab
giveaway is now over. A total of given 627 monthly or three monthly subscriptions given away to students, and infosec newcomers. Sorry for those who missed out, I still have a ridiculous amount of unread messages, but I'll do it again sometime.
15
15
174
Stickers, stickers everywhere! Share your laptops? Keen to see what others have done.
43
6
173
Mistakes I see beginners make when reporting bug bounties:
- Focussing on a technical bug class, and not why it matters
- Adding items like "[CRITICAL]" to titles (if you have to say it, it likely isn't)
- Claiming a risk, but not qualifying why there's risk. Outline the why.
8
27
168
I'm excited to expand on recon fundamentals at
#NahamCon2022
. Thank-you for having me
@NahamSec
!
4
7
163
I find DOS to be very misunderstood. Let's talk about why, and what goes into an impactful DOS that matters within a bug bounty program. 👉
#bugcrowdtipjar
#bugbountytips
4
48
157
Offering a
@PentesterLab
subscription for the best name for a tool that does Reverse Whois and Whois History matching over multiple sources. Similar to
@vysecurity
's awesome work on DomLink. Suggestions?
186
20
158
A gentle reminder to disable this default FoxyProxy setting... Something I think many forget about:
6
25
155
What are your best tricks, tools or ideas for wordlist generation? I'm giving away 10
@PentesterLab
codes for the best (unique) answers
46
22
154
Let's talk recon! The
@rapid7
open data project, and
@erbbysam
's DNSGrep are amazing in combination to find new assets. Let's discuss 👉
#bugbountytips
#bugcrowdtipjar
#hacking
2
38
151
We're looking for a new Head of Support
@Bugcrowd
.. come work with
@Farah_Hawaa
@InsiderPhD
@securibee
@caseyjohnellis
, myself and a wholllle bunch of other community and security focussed people. Applications 👇👇
8
33
148
After last nights call with
@stokfredrik
he mentioned I should move one of my lights above/behind me to create more dimension and better colour.. Here's the before/after. It's amazing and humbling to me how easily and quickly he identified such a functional improvement.
7
4
142
Videos on Nuclei and Axiom are now in planning phases (spoken with
@pry0cc
and
@Ice3man543
to help on deep dive). The longer format videos take a lot longer to produce, so I'll have some shorter videos in between, with some tool releases also.
8
15
138
It's still early days but I feel really good about how far I've upgraded the aesthetics of my content since I began. A huge shoutout to
@stokfredrik
for being a regular soundboard, helping me to learn about lighting, and general advice as I've grown into video.
8
5
137
Now I have both
@intigriti
and
@Bugcrowd
security blankets.. who needs central heating. Tyvm
@intigriti
, much ♥️
9
1
138
One thing
@caseyjohnellis
told me when I joined Bugcrowd - always hire people that scare you, and can do your job better than you can. I think I'm nailing that on a few fronts, and honoured to be in the trenches with a bunch of smart folk. More to come here too.. I'm excited.
12
5
134
This is why I love my job. 11 minutes from submission / internal investigation / payment. You're the man
@proabiral
#jointhehunt
cc:
@Bugcrowd
6
6
132
Since this worked so well last time.. I'm giving away a
@PentesterLab
subscription / future video shoutout to whoever can come with the best name for a tool specifically designed to aid in target selection
118
11
125
Following
@infosec_au
start on talking about triage, and all that has happened the past week, I have approval from
@Bugcrowd
to do a video/blog breaking down a lot of the processes, behind the scenes, and what goes into our side of the industry. What do you want to know?
21
10
133
Impostor syndrome is kicking hard and I'm struggling to record anything I'm happy with.. may take a break from videos for a bit, but I'll be back when I'm back.
12
3
127
I've built a search function into for searching over your favorites.. The last 50 videos by every channel on are automatically added, to allow you to search more widely and beyond just my own content
6
37
126
With this latest giveaway, I'll pass 1000
@PentesterLab
gift subs given out😅Thank-you to
@snyff
for always being so easy to work with!
9
16
128
FInally back to content! Let's go beyond the basics of subdomain takeovers, scheduled for release next week (reminder here: )
#bugbountytips
2
22
124
Whilst most XSS scanners miss the mark (heavily), I've been watching this one be developed over the past few months and believe it's worth your time!
Introducing: Wingman
Wingman is an XSS scanner designed for bug bounty hunters, infosec professionals, and hobbyists.
Read more:
6
91
303
2
12
120
Not done this for a while, but
@vortexau
inspired me to do a
@PentesterLab
giveaway.. First come, first serve! Will do another, larger giveaway soon.
48
15
116
It's easy to look like you're an informed professional on Twitter, but many aren't. How do you validate credentials / ensure you're getting the right advice, training or coaching from someone who has been there / done that?
26
1
117
Finally happy with my laptop sticker coverage! Share yours?
21
7
115
In a couple of weeks I'll be releasing a new DNS monitoring tool... Giving away a
@PentesterLab
sub if anybody has a really good name for it. Currently using "dooked" (a tip of the hat to
@dooktwit
's DNS abilities 🔥) but wondering if there's a better name out there?
60
11
117
So thrilled to be working on this book with
@Jhaddix
. We've been at it for a while, with the goal to make something we feel we could pick up ourselves and learn something from - both at this stage in our hunting and when we started.
2
12
113
@intigriti
Write the CEO's name of the company it's placed in. Either "returned" to the CEO, who plugs in our of curiosity, or nabbed by an employee, who plugs it in out of curiosity.
2
1
113
The next two common misconceptions videos will be on XMLRPC, and SSRF - what else do you want me to cover? What's an area you feel you don't fully understand and get N/A's in a lot?
15
9
114
Most
@pentesterlab
vouchers are gone now, I have a few I've kept where I couldn't send to people (because of closed DM's) that will go out over the next few days. If you missed out, I'll be continuing to give these away over videos, which you can find at
20
7
111
I've now added Hindi subtitles to this, enjoy!
Understanding a company's cloud usage involves more than looking for Amazon S3 buckets, CloudEnum is a great tool for expanding on that, let's discuss 👉
#bugbountytips
#bugbounty
6
69
235
6
10
107
Pretty sure this means giving more
@PentesterLab
subs away will help future-me in hiring?
Funny story, two years back when I was starting in infosec
@codingo_
helped with an
@PentesterLab
subscription and soon I will be joining his team.
3
1
52
11
4
106
My FFUF deep dive video now has subtitles available in Hindi. If you find this valuable, please let me know!
2
14
103
I'm no
@HackingDave
but successfully completed my 100th workout for 2023, and down 7kg from my heaviest.. Feels like a milestone worth celebrating.
#wehackhealth
11
1
103
I've always been paranoid about putting a lock on the garage and turning off power when not using it. My
@flipper_zero
arrived today.. That paranoia now feels quite vindicated (capture raw/replay)
4
7
101
Hindi subtitles now added, enjoy! 🎉
Lots of (most?) hackers don't manage/extend their
@Burp_Suite
configs and BApp's as well as they should be. Let's discuss! 👉
#bugcrowdtipjar
#bugbountytips
#hacking
5
91
319
5
8
99
A quick
#bugbountytips
#bugbounty
review of a tool
@vortexau
and I wrote together to help you maintain a clean list of DNS servers for use with other tooling
1
19
97
Subfinder is now a github organisation. You can now find it at . Contributors are very welcome.
1
43
93
I'm planning another
@pentesterlab
giveaway. I'm thinking the next one will depend on the recipient making a contribution to the community (github pull request, blog, something else) to claim a subscription voucher.. thoughts? Is it better to just free for all?
13
10
94
Won't work directly, play around and see if you can claim yourself a
@PentesterLab
key:
S2VjVXA3X3dPTmlrNHJqbkV5UVpvX004cFpjdlBxYUI=
2rijdea5DZRhuVm2GlZZ5Tuo7hux7ASf
O0Y3lWNKAbFDp34k50r_I54A1NJ7eyu
Three keys, please comment below if you claim one so others don't waste time.
12
7
91
For every pull request I merge to I'll send the author a free month of
@pentesterlab
. Offering cash bonuses to significant contributions as well. Available until the 31st of March.
3
29
92
No video this week sorry.. Sick / sick toddler. Family first, but I'll have new content next week.
14
0
92