Day~1 Today, I went through 38 write-ups about (IDOR) vulnerabilities. Whenever these write-ups present Burp Repeater tabs, URL endpoints, or API data, I could guess around 90% of the exploration process. My notes: https://t.co/SWXUMtV1rH… #bugbountyjourneyDay1
i dont understand why everyone seems to be getting the fable blocks.. probably going to jinx myself, but havent seen a single one yet and was able to get one of my pending Apple vulns to do much more than i thought was possible when originally filed. its already accepted/pending a summer 2026 fix, so not sure if providing the extra info/exploit poc will make any difference, but time to find out 🤞
Notion is for writing.
Figma is for designing.
Neither is for thinking.
I spent 3 months building the missing piece.
https://t.co/VEETUvma2l — live today
That's the system.
5 workflows. One tool.
Any PDF → navigable map.
3hr podcast → 5min scroll.
YouTube lecture → structured branches.
NotebookLM gives you the library.
Claude gives you the thesis.
SpawnGraph gives you the map.
Free to try → https://t.co/PqZVOch09Z
Repost the first tweet if this saved
your Sunday 🧵
NotebookLM ingests it.
Claude reasons over it.
But neither shows you how the ideas connect.
5 SpawnGraph workflows that turn PDFs,
podcasts, and YouTube lectures into one
visual map you can actually navigate.
Compress 200 hours of research into one Sunday.
Save this thread 🧵
This is exactly why India needs open-source governance 🕊️
Imagine Open-Source Politics in India:
See who built the road in your area
Track every rupee spent on projects
Accountability should not cost lives.
Most mind mapping tools only let you draw bubbles and short headings.
But real work lives inside long PDFs, messy notes, research papers, tickets, bug reports, and random links.
That’s why I’m building SpawnGraph – a futuristic collaborative canvas that turns PDFs, documents, text, and links into full‑context, editable mindmaps on a customizable board. No more losing the details behind the nodes.
SpawnGraph is in private beta right now and officially launch Tomorrow .
If you’re a student, researcher, note‑taker, freelancer, or builder who wants to try converting real docs into mindmaps, drop a comment or DM “beta” and I’ll share early access
Seeing a lot of fear mongering about 'required' use of AI in bug bounty. My approach hasn't really changed in the last couple of years, yet I'm sitting with 17 high / critical bugs from the last 10 days.
Currently the only thing I use AI for in bug bounty is programming.
I disagree a bit here. I believe we’re no longer talking about companies investing a ton of money and getting almost zero return, but rather about individual researchers. These tools are very accessible and are already creating a huge impact if you know how to use them.
Speaking for myself, with a $200 investment, I already achieved a 70x return in bug bounties in a single month. So the impact is already there, and for me, this is no longer “hype”… just saying. 🤷🏻
day 2: how to hit bounty quick $1,500.
Tip for bug bounty hunters: every AI chatbot on a website is an attack surface now.
I asked a company's AI support bot to "help me understand this error."
The error was a base64-encoded XSS payload.
The bot decoded it. Rendered it in the DOM. Zero sanitization.
That gave me JavaScript execution on their site.
From there:
→ Cookie downgrade via OAuth flow
→ Stole authentication tokens
→ Full account takeover
I reported it. 4 months of silence.
Then they quietly patched it and told me they "couldn't reproduce it."
So I sent video proof. Timestamps. Working PoC. Everything documented.
$500 → $1,500.
Every company is rushing to ship AI features. Nobody is auditing the output. If it renders in the DOM, it's probably vulnerable.
Go test them. Free XSS everywhere.
And if they try to lowball you — push back. Always push back.
Full YouTube lab breaking down the entire chain if this hits 2,000 ❤️
Bug bounty tip most beginners don't know:
Don't hack Google. Don't hack Apple. Don't hack Facebook.
Start with small startups on HackerOne that have 0-5 hackers looking at them.
Less competition = faster first bounty even public programs.
I found my first bug in a program after 1 month full tiem Paid $2500.
Next post: how to find YOUR bug type — the one thing you get so good at that money becomes inevitable subscribe to be alerted when it comes .
June’24,I started 365-day bug bounty challenge.
Quit on day 363 just before my first bounty
That failure taught me more than success ever could.
Today,I restart with the 12-Week Year.
Posting every Monday until my first $10K bounty
https://t.co/9EwtJ8VebS
https://t.co/K0mKUcOfxi
🎯 Day 363 of my Bug Bounty journey
Build a social media app with Node.js, GraphQL, Prisma, PostgreSQL, JWT, bcryptjs, Cloudinary, TypeScript, React, Vite, Tailwind CSS, SASS/SCSS. Summarizing tweets takes more time than git!📝
https://t.co/BJhjkIxSo7
https://t.co/cSo1kXNsaj
Every time I open X, I notice in the bug bounty / infosec space, people are posting anything these days copy-paste threads, fabricated success stories recycled “recon tips,” tools they’ve never actually used, resources they haven’t even read - just to grab likes and followers.
No depth.
No real testing.
No responsibility.
And I genuinely wonder:
how are newcomers going to learn in all this noise?
Sharing knowledge is good.
Teaching is powerful.
But posting unverified, half-understood, fabricated success as cybersecurity content just for engagement helps no one - and sometimes even misleads beginners.
No one need more “security influencers.”
People need more researchers, who share there research how they do, what they learn new, what is really working and what not. Do it in hard way.
Stop chasing numbers.
You can lie today with posts, threads, and recycled “tips” but one day, all that so-called hard work will be exposed.
Because you’re not just fooling others, you’re fooling yourself.
Followers don’t equal knowledge. Likes don’t equal skill.
In security, sooner or later, someone will look inside your work and realize: there’s nothing there just noise.
If you read this far and it resonated, repost it so it reaches the people who need to read it.
#BugBounty #Hacking #InfoSec #CyberSec #Cybersecurity
2025 stats:
~200 reports sent
133 paid reports
+ 18 pending
It still feels so surreal, a year ago I barely had 1 paid report.
Next year:
-Volume < higher payouts
-More learning
-More collaboration
Thank you @Bugcrowd and @yeswehack for the best student job I could ask for!
a mistake that cost me 5 years: thinking preparation was progress. reading every book. taking every course. planning every detail. meanwhile, someone dumber than me started badly and figured it out. preparation feels productive but it's often just fear dressed up as strategy. you learn to swim by getting in the water, not by studying water.