Reported a critical Blind XSS to Watson that could lead to user cookie theft on a WordPress-hosted asset. I was expecting a significant bounty given the impact, but the asset was later decided to Tier 5 and the final reward came out to just $138.
Hey @intigriti I reported a critical issue to a program, it’s now resolved and I completed retesting. I received only a $50 reward, but there’s no mention of the main bounty decision in the report, so I assumed it’s rewardable.
Not sure what’s going on lately some reports get quick responses, but others sit for over a month with no bounty. Even after retesting, a few don’t get any reply at all. Just stuck in pending.
I am not sure why this happens, but I have noticed a consistent pattern whenever campaign is active on a program and I revisit it, I tend to find multiple valid issues. In contrast, when I visit the same program during normal periods, I often do not find any valid issues at all.
@3nc0d3dGuY@zack0x01 also tried your version it’s fantastic. It captures all the GraphQL queries and mutations perfectly, and the output is super easy to explore. Amazing tool
The company should’ve disclosed earlier that role enforcement wasn’t fully implemented on their GraphQL. After reporting 4–5 valid issues, they closed them as “duplicate/informative” and then marked the endpoint OOS. Now saying it’s a “global issue” and will be fixed at once.