RT @0a_yso: Parsed 12k+ bug-bounty write-ups & blogs (and counting 24/7) and mapped each to CWE + language. Quick hits:.• ~60% of RCEs happ….

RT @J0R1AN: Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever….

RT @yu5k3: Reply if you want the list of resources that I used to dev my own Chrome RCE exploit. Might write a thread if there's interest.….

Reply if you want the list of resources that I used to dev my own Chrome RCE exploit. Might write a thread if there's interest. Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE 🤝.

- Open-source repo = easy diffs for n-days.- Regression tests (if you're lucky) help a lot.- Controlled JS = powerful primitives, e.g., heap- & jit- spraying.- V8 sandbox adds that spicy edge 🌶️.

I played with Chrome vulns back in Jan, mostly trying to reproduce n-days. In May, I found promising targets and developed an RCE from scratch to reverse shell in Chromium 134. Low-level exploits are real fun 🔥 and Chromium is an awesome playground for them:.

🤓 2025 YTD #BugBounty stats update, May:. 📄 11 issues Reported (4 Crit, 2 High, 5 Medium).💰 9 issues Paid. A new month means 2 more RCEs reported 👌.This time I hit Chromium headless browser for the first time in BBPs.

RT @seanhn: I wrote-up how I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation. Link….

So yeah, I've started thinking about switching back to industry and ending the full-time BB experiment. Don't be surprised if that happens in the next couple of months, it'll just mean the dark side with cookies and performance reviews won this round 😅.

Hitting my Q1 milestone of earning the same as I would've by signing my last job offer definitely gives me motivation to push even harder. That said, my current efforts haven't led to any big breakthroughs in my BB methodology.

Still, it opens up more opportunities that I'm trying to take advantage of. I'm investing time into researching new types of attacks and building out automation. This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!.

The first financial goal, reaching income comparable to a full-time IT job, is achieved!. Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.

In April, I reported 2 #RCE (consistency 😎), and once again, one of them was classified as Medium. Fine, move on. Many previously reported vulns also got paid this month 💸 . I've been doing BB full-time since late last year, so it's a good moment to sum things up.

If I have extra time, I go through old notes and mine a few more, usually with less critical severity. As you can see, some RCEs end up being classified as Medium due to BBP restrictions. but even then, the bounties were not too bad.

👌 2025 YTD #BugBounty stats update, April:. 📄 9 issues Reported (2 Crit, 2 High, 5 Medium).💰 8 issues Paid. Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.

RCE in Elastic Kibana via Prototype Pollution (CVSS 9.9) 🚀.

RCE in Elastic Kibana via Prototype Pollution (CVSS 8.7) 🤔 Curious about the A:N in the vector for the RCE. typo or did I miss something?.

Unrestricted File Upload in Elastic Kibana (CVSS 5.4). Part of another chain ending in XSS and showing ATO impact. I shared some details at my last DEF CON, but the deep dive is still in the vault. Looks like I've hoarded enough CVEs for the next talk 😅.

Unrestricted File Upload in Elastic Kibana. Part of the most beautiful and non-trivial chain I've built. I'm excited to get a chance to share the full story in a con talk someday 🤞.

RCE in Elastic Kibana via Prototype Pollution (CVSS 9.1) 🔥.