Max Yaremchuk @0xw2w Twitter profile

Pinned Tweet

Max Yaremchuk

1 year

Here’s my new blog post, “Bugs showcase #2 - Privilege escalation using improper preservation of permissions during the OAuth app installation”

Bugs showcase #2: Privilege escalation using improper preservation of permissions during the OAuth...

‎

securityrise.com

1

16

56

Last Seen Profiles

@ShamelessShabby

@ShawniceTe83682

@MetaplexFndn

@stw_pdg

@galery_basah10

@yurihanabi

@NurserySimpson

@CRACKSILLI

@bokeplokalmalam

@Avadi_Nasar

@hoshina_mizuki

@bokeplokalmalam

@islandDAO_DL

@Jaumdoart

@mbadl_abha11

@ARK__Group

@AbahSoso

@angosturacat

@bokeplokalmalam

@Kyoshidaterra

@kleba_caden

@RX16ujCKzHyMpPP

@5d1uRu

@gf_doodledraw

@Pocongsange117

@cYechezkel3

@A3G1r1_

@randee_cristie

@abowfin28

@Verrueta00s

@meta_hess

@handful49mutuel

@FancyTrixi68968

@Tmc1Z

@squaresy74

@2vofi

Max Yaremchuk

@0xw2w

5 years

Wrote a new article «Сookie-based XSS exploitation | $2300 Bug Bounty story». The article contains exploitation methods that I have ever used, which will help you to understand how to use this XSS to prove and increase vulnerability impact. Happy reading:)

Сookie-based XSS exploitation | $2300 Bug Bounty story

For quite a long time I have been hunting for vulnerabilities on the HackerOne platform, allocating a certain amount of time outside the…

medium.com

3

247

549

Max Yaremchuk

@0xw2w

3 months

Yay, I cooked Grammarly’s SSO and invitation system for $12k on @Hacker0x01 ! I sent 13 bugs to Grammarly in 2 weeks during the last promotion, and here are things to consider when hacking on the program: - Submit reports with CVSS, explaining each metric of the score. Grammarly

10

22

541

Max Yaremchuk

@0xw2w

4 years

I'm happy to announce my first public tool for javascript analysis - JSA ! It was a part of my private automation workflow for a long time, and it helped me score the highest bounty in my fav program on @Hacker0x01 - $6500. Hope you'll like it! #bugbounty

7

143

415

Max Yaremchuk

@0xw2w

4 years

This is how devs of one website made security done. It’s a main app's js file that contains login and password in the "if not login and password" statement. @Hacker0x01 's private BB program if someone’s wondering.

28

45

388

Max Yaremchuk

@0xw2w

2 years

This is the silliest and strangest 2FA bug I found (so far): The application generates the same TOTP key for every account. By obtaining a TOTP key for one account it's possible to obtain the current TOTP code for all other accounts.

26

23

379

Max Yaremchuk

@0xw2w

2 years

I'm currently doing extensive research on the security of MFA implementations. Over time, I documented 32 categories of possible workarounds, came up with my own techniques/bypass variations, and sent > 204 MFA bypasses to bug bounty programs. I plan to publish my work sometime🙂

12

38

377

Max Yaremchuk

@0xw2w

2 years

As a part of my research on SAML SSO and OAuth, I sent 8 reports to bug bounty programs, resulting in > $8 000 in bounties. After checking every bounty target corresponding to vulnerability requirements, I plan to write about it in the blog 📘

9

13

292

Max Yaremchuk

@0xw2w

2 months

This is what happens when I'm locked in

9

1

291

Max Yaremchuk

@0xw2w

5 years

I've just published my research on the Two Factor Authentication security subject . I had fun and enjoyed writing this one, hope you'll enjoy reading! Have a good read! 🙂

Two-factor authentication security testing and possible bypasses

Before I began to comprehend the complex science of information security, it seemed to me that Two-Factor Authentication is a guaranteed…

medium.com

7

125

288

Max Yaremchuk

@0xw2w

2 years

4

21

188

Max Yaremchuk

@0xw2w

5 years

I've just noticed that I sent 47 bypasses of 2FA on @Hacker0x01 !😱 If you have a Bug Bounty program with 2FA, - let me break into it. I will find all possible turnarounds in your 2FA and interactions with other functionalities which will possibly lead to reporting 2FA bypass🙂

11

13

172

Max Yaremchuk

@0xw2w

5 years

Bug bounty advice: If you have a GET request where developers added referer-based CSRF protection, use an on-site Open Redirect for this URL to get a whitelisted website in the Referer header. In the case when you have a POST request, try to change a method to GET.

6

40

151

Max Yaremchuk

@0xw2w

5 years

I created a small list of Open Redirect vulnerabilities that I found during participating in bug bounty programs . For devs, as alone, they carry no danger, but you can use them for bug chains in order to get a higher payout 💵 Happy hunting! #bugbounty

GitHub - w9w/Open_Redirects_list: -

-. Contribute to w9w/Open_Redirects_list development by creating an account on GitHub.

github.com

3

46

153

Max Yaremchuk

@0xw2w

4 years

Yay, I reached the top 100 on @Hacker0x01 ! :)

13

2

149

Max Yaremchuk

@0xw2w

5 years

Bug bounty advice: When parameter for open redirect accepts NOTHING BUT https://example.nettext, check . The domain can be free for registration. Today I found open redirect in OAuth flow this way.

2

37

150

Max Yaremchuk

@0xw2w

9 days

I just unexpectedly received $2k for email HTML injection in AWS—thought it'd be None-Low but it was assessed as Medium. No wonder the last LHE hit 2 mil, the program issues fair rewards. Anyway, continue sending free bugs to VDP, a multi-billion dollar company appreciates it.

1

4

144

Max Yaremchuk

@0xw2w

5 years

Tip: If you have an API endpoint like /api/v2/****/, try to substitute v* with a less number and look at the reaction. Maybe there is an IDOR or improper auth bug #bugbountytip

4

51

140

Max Yaremchuk

@0xw2w

2 months

Spotify increased bounty payouts for Highs and Crits: 2 and 4k now vs $700 and 2k prior. I've been hoarding bugs I stumbled on while using Spotify, and now I can get a decent bounty for them. Sending a Spotify ATO for $700 was disappointing tbh

4

2

132

Max Yaremchuk

@0xw2w

5 years

@C0deur @Hacker0x01 I've documented some of the techniques that I'm using, you can check it out here: . Implementations of 2fa in different web applications may vary, so there are other bundles to bypass 2fa.

Two-factor authentication security testing and possible bypasses

Before I began to comprehend the complex science of information security, it seemed to me that Two-Factor Authentication is a guaranteed…

medium.com

5

67

129

Max Yaremchuk

@0xw2w

1 month

I cooked hard on @intigriti —two auth misconfigs allowing to obtain admin access. It’s a pity I can’t publish these bugs along with 200 others. Still, reporting them to a private BBP paid my bills while write-ups wouldn’t, that's how it works, unfortunately

3

125

Max Yaremchuk

@0xw2w

5 years

In February, I submitted 55 vulnerabilities to 21 programs on @Hacker0x01 and made 700 rep points🎉 Still, some reports need to be triaged & rewarded (22 are still in a new state). It was a super fun month of full-time bug bounty hunting, hope to hunt again😁 #TogetherWeHitHarder

4

1

115

Max Yaremchuk

@0xw2w

4 years

lol I thought it's a feature when I first discovered this😄

The easiest $2500 I got it from bug bounty program

Hi all, today I will talk about first vulnerability I found it. At that time, I knew little about information security.

3bodymo.medium.com

4

21

112

Max Yaremchuk

@0xw2w

8 months

I was once again renewing my Spotify premium plan, got logged out from account in the mobile app and accidentally found a 1-click ATO in Spotify while trying to log in 😳

7

1

108

Max Yaremchuk

@0xw2w

7 years

I published my article "How I hacked companies related to the crypto currency and earned $ 60,000".

How I hacked companies related to the cryptocurrency and earned $60,000

Now everyone talks about bitcoin and crypto-currencies. My acquaintance with crypto-currencies occurred about 5 months ago, that’s when I…

medium.com

4

48

101

Max Yaremchuk

@0xw2w

2 years

I'm two months into the program and found 52 bugs. This is my longest time focusing on a single program, but it's worth it since the knowledge will come in handy in future testing. My report count record for the single BBP is 123 (epic games), and I'm trying to beat it :)

3

2

101

Max Yaremchuk

@0xw2w

4 years

Hello to anyone who works at @Hacker0x01 !🙂 For ~1 month, I kept records regarding how to improve the platform's UX/UI and fix some really annoying problems that can't let researchers work efficiently. It's 17 "paragraphs", here are all of them:

5

4

103

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $2,000 bounty on @Hacker0x01 for Account takeover w/o user interaction via consequent enumeration of password recover code due to a lack of code invalidation and expiring! 💣💥 #TogetherWeHitHarder

2

5

97

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $5,000 bounty on @Hacker0x01 for Improper access control! Wohooo, that's my biggest bounty on h1 so far! 🎉 The company took the breach seriously and closed a site right away after the report. #TogetherWeHitHarder

8

1

98

Max Yaremchuk

@0xw2w

4 years

*Unsubscribing from a service and a website asks to describe why are you unsubscribing* My blind XSS payload:

3

8

94

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $750 bounty for Open Redirect that leads to ATO via SAML SSO data capture through POST request on a third-party domain on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

4

9

91

Max Yaremchuk

@0xw2w

4 years

When testing "access denied" bypass using X-Rewrite-Url or X-Original-Url, do a negative grep for Cloudflare response, - this way you can avoid a lot of false positives when testing a big list of hosts. #automation_workflow

2

14

93

Max Yaremchuk

@0xw2w

2 years

Hijacking Over 100k GoDaddy Websites - Quick video -

godaddy-takeover-poc2.mov

drive.google.com

1

19

92

Max Yaremchuk

@0xw2w

4 years

I reached 6k rep points on @Hacker0x01 ! Now going higher! 🚀

3

0

92

Max Yaremchuk

@0xw2w

4 years

Hey @Burp_Suite , could you please add searchability for bapp store? It will greatly ease orientation in the list of apps.

5

2

89

Max Yaremchuk

@0xw2w

6 years

Just published my new write-up «[Bug bounty | ] Access to the admin panel of the partner site and data disclosure of 2 million users» Have a nice read! #TogetherWeHitHarder #BugBounty

[Bug bounty | mail.ru] admin panel access with Blind XSS

Relatively recently, I switched from searching vulnerabilities on random sites to Bug Bounty sites, and for many people this choice seems…

infosecwriteups.com

1

42

87

Max Yaremchuk

@0xw2w

4 years

How I lived without this 🥲

11

8

88

Max Yaremchuk

@0xw2w

2 years

I was just awarded a bounty on @Hacker0x01 for bypass of TOTP and Adaptive MFAs🪲 The chain⛓: Triggering MFA lockout; A lack of MFA setup enforcement after MFA reset; Constant tracking for MFA presence; A lack of context behind Adaptive MFA email and its overlay.

1

5

81

Max Yaremchuk

@0xw2w

5 years

In March, I submitted 53 vulnerabilities to 22 programs on @Hacker0x01 and jumped to 5200 rep with improved signal 5.00!😱😱 #TogetherWeHitHarder

4

0

85

Max Yaremchuk

@0xw2w

11 months

In 1 year, I improved my skills using these simple rules by sticking to which I scored the highest bounties in my bug bounty career and discovered 153 vulnerabilities on a single program — solo, manual, semi-full-time. 1. Focus on a single bug bounty program. Try to allocate

5

16

86

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $500 bounty and $1500 bonus on @Hacker0x01 for a bunch of vulnerabilities, - CSRF protection bypass + CORS misconfiguration + Cookie setting! Thank you for uniting hackers and companies together, HackerOne! #togetherwehitharder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

2

80

Max Yaremchuk

@0xw2w

3 years

Yay, I got 10k rep points on @Hacker0x01 ! 🎉

2

85

Max Yaremchuk

@0xw2w

4 years

50k for otp code bruteforce using ip rotation! Such mistakes are still out there and will be for a long time!

Laxman Muthiyah

@LaxmanMuthiyah

4 years

Microsoft Account Takeover! 😊😇 Thank you very much @msftsecresponse for the bounty! 🙏🙏🙏 Write up -

72

411

2K

5

83

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $1500 bounty for Information Disclosure and $850 bounty for Race Condition on two accounts using on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

2

3

77

Max Yaremchuk

@0xw2w

2 years

By using Spotify as a usual user I spotted a few behaviors that allow shrinking premium costs from $150 to $54 (calculations for the UK). Now waiting for the company's evaluation.

5

4

82

Max Yaremchuk

@0xw2w

5 years

Yay, I’ve crossed 2000 reputation line and was awarded $2000 for OAuth misconfiguration bug @Hacker0x01 ! 🙂 #TogetherWeHitHarder

5

79

Max Yaremchuk

@0xw2w

4 years

So I sent an account takeover bug with just one click to @Xiaomi bug bounty on @Hacker0x01 . Developers marked a bug as Informative with none impact although it should be fixed ASAP. HackerOne mediation team did 0 efforts in 3 months to help to regulate a disagreement. -->

13

4

76

Max Yaremchuk

@0xw2w

5 years

Today I crossed 800 rep points on my favorite private program on @Hacker0x01 🎉 Sometimes I’m going through applications again in order to realize what else can I do with functionality, this helps me to consistently find bugs. #togetherwehitharder

3

1

78

Max Yaremchuk

@0xw2w

5 years

I found DOM-based XSS on 15 000 websites via helpdesk subdomain, the bug was fixed in 1 hour after receiving a report 😮

1

2

71

Max Yaremchuk

@0xw2w

2 months

HackerOne has implemented crypto payments for non-coinbase USDC and BTC wallets🎉

4

5

74

Max Yaremchuk

@0xw2w

5 years

Hunt on @ArchAngelDDay has begun: One private bug bounty program on @Hacker0x01 announced that they will pay $1000 for the hacker who'll displace @ArchAngelDDay from the first place 😄

6

3

74

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $1,500 bounty on @Hacker0x01 for one-click ATO via OAuth misconfiguration! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

2

6

69

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $1000 bounty for domain takeover on @Hacker0x01 ! I noticed that the registration form was pointed to the non-existed domain. The bug could be used for registration details intercept. Tip: always check the errors! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

2

68

Max Yaremchuk

@0xw2w

3 years

9

0

71

Max Yaremchuk

@0xw2w

5 years

Hooray🎉, I was awarded a $750 bounty for one-click ATO / $2,000 bounty for ATO w/o user interaction and overcame 3000 reputation line on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

1

69

Max Yaremchuk

@0xw2w

1 month

Burp Suite rolled out a long-awaiting performance update

7

3

70

Max Yaremchuk

@0xw2w

4 years

pretty not bad for 1 bug/4 😁 #togetherwehitharder

5

0

68

Max Yaremchuk

@0xw2w

4 years

3

6

64

Max Yaremchuk

@0xw2w

2 years

Here’s my new blog post, “Bugs showcase #1 : Chaining a lack of values correlation, linear growth of attempts, and other omissions in OTP implementations to achieve 2 ATOs”.🪲 I hope it’ll be interesting for you!

3

26

66

Max Yaremchuk

@0xw2w

2 years

Just got my TOTP MFA bypass on rockstar games at @Hacker0x01 accepted. One year ago I puzzled over their MFA and didn't manage to bypass it. But now I returned to it with a new technique, chained 2 bugs together, and broke it!

2

0

64

Max Yaremchuk

@0xw2w

5 years

2

1

63

Max Yaremchuk

@0xw2w

2 years

Breaking Into Cloud Wallets: 3 years spent Hacking Crypto Web Apps by @samwcyo -

#NahamCon2022 - @samwcyo: Breaking Into Cloud Wallets: 3 years spent...

Purchase my Bug Bounty Course here 👉🏼 bugbounty.nahamsec.training#NahamCon2022 is a virtual offensive security. This year's event was hosted by Jason Haddi...

www.youtube.com

3

19

65

Max Yaremchuk

@0xw2w

4 years

🙂

3

0

64

Max Yaremchuk

@0xw2w

2 years

If you found a redirect in the authentication flow where you can steal access tokens, but it only accepts xyz:// and rejects http(s)/javascript as a scheme, don't rush to throw it away. I found a browser-specific bug that can help to exploit it. DM me if you have such a redirect.

5

2

64

Max Yaremchuk

@0xw2w

6 years

#bugbountyprotip If you want to test XSS IE only or XSS with incorrect interpretation of the content-type (older IE versions perceive some content-type incorrectly and accept them as html), then you can do it online here instead of installing a browser.

4

25

63

Max Yaremchuk

@0xw2w

4 years

Today is my bday and I’m still working bcause I’m so fucking love my job you can’t image how. Those who work exceptionally for money and not for fun/passion/pure interest, I don’t understand them.

5

0

62

Max Yaremchuk

@0xw2w

2 years

After digging into the app deeply for ~1 week and finding 19 low-high bugs, I finally found one crit - local file read through SSRF

1

62

Max Yaremchuk

@0xw2w

5 years

Yay, I earned $1250 for my submission on @bugcrowd for OAuth misconfig! TIp: Check all the OAuth providers. When one has protection, the other may not implement it. #ItTakesACrowd

w2w on Bugcrowd

View w2w’s researcher profile on Bugcrowd, a platform and team of experts connecting organizations to a global crowd of trusted security researchers.

bugcrowd.com

3

0

60

Max Yaremchuk

@0xw2w

2 years

I was just awarded a bounty on @Hacker0x01 for TOTP MFA bypass related to backup code handling! 🪲

1

0

58

Max Yaremchuk

@0xw2w

4 years

@intigriti @hacker_ This is a basic vhost check. Also try to bruteforce vhosts using a specific wordlist in Intruder or using @jobertabma ’s

GitHub - jobertabma/virtual-host-discovery: A script to enumerate virtual hosts on a server.

A script to enumerate virtual hosts on a server. Contribute to jobertabma/virtual-host-discovery development by creating an account on GitHub.

github.com

1

19

57

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $3,375 bounty for Privilege escalation from User to Admin on @Hacker0x01 !🐞 #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

1

0

53

Max Yaremchuk

@0xw2w

10 days

4

5

56

Max Yaremchuk

@0xw2w

5 years

I am now a full-time bug bounty hunter(primarily at @Hacker0x01 ). If you have a bug bounty program, I'll be glad if you drop me an invite,- /w2w. I'll do my best to find as many bugs as possible. I'm mostly interested in OAuth, 2FA, authority matrix and authentication in general!

6

1

54

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $750 + $500 bounty on @Hacker0x01 for 2 OAuth misconfigurations! #togetherwehitharder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

1

51

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $1000 bounty and $500 bonus on @Hacker0x01 for Improper Auth bug in the Mac OS application that leads to Account Takeover! #TogetherWeHitHarder

HackerOne profile - w2w

I’m looking for bugs and overcoming limitations - Application security - https://securityrise.com/about

hackerone.com

1

53

Max Yaremchuk

@0xw2w

6 years

#bugbountyprotip Try to bypass the protection of the website using a mobile app. For example, in the mobile app there is no rate limit for entering 2fa code or 2fa input window does not appear, while the web version has protection.

0

15

52

Max Yaremchuk

@0xw2w

5 years

Yay, I reached a new milestone on @Hacker0x01 , - 200 resolved bugs! #TogetherWeHitHarder

1

0

52

Max Yaremchuk

@0xw2w

4 years

/ @Hacker0x01 directory from mobile :))

1

51

Max Yaremchuk

@0xw2w

5 years

Yay, I was awarded a $1,150 bounty on @Hacker0x01 for another DOM-based XSS! The report is a 1-week old = bonus for waiting. This is one of my favorite BB programs, I stuck to it, get to know well apps and gained almost 600 rep on it.🙂 #TogetherWeHitHarder

1

0

53

Max Yaremchuk

@0xw2w

7 years

I was rewarded $2,500 on hackerone, this is my first bounty! #TogetherWeHitHarder

4

3

52

Max Yaremchuk

@0xw2w

7 months

I just reached the top 100 all-time on @intigriti and completed the 2024 bug bounty goal — it took 5 months. Will try to go higher! 🚀

Max Yaremchuk

@0xw2w

10 months

2023 was successful: - Bug bounty income tripled compared to the previous years - Top 100 on h1 in 2023 - 7th place on @intigriti in Q4 2023 (got started in Q4 when my program was transferred from h1) - 2nd h1 LHE 2024 goals: - Top 100 on @intigriti all-time - Play some RDR2

3

1

38

1

2

52

Max Yaremchuk

@0xw2w

5 years

Bug bounty hunter: My signal is unshakable H1 triager: Hold my beer

1

2

50

Max Yaremchuk

@0xw2w

5 years

A website was taken offline due to my report on @Hacker0x01 😮

3

0

51

Max Yaremchuk

@0xw2w

5 years

In order to massively check my techniques for a 2FA bypass, I used the list of the websites that support 2FA on which includes some @Hacker0x01 and @Bugcrowd Bug Bounty programs. 1/n #togetherwehitharder #bugbounty

5

14

49

Max Yaremchuk

@0xw2w

4 years

Website: Unfortunately, you don’t have access to this admin panel. If you don’t have a valid login and password, please leave. Me: **pulling an endpoint from js file intended only for admins and applying it right away** Website:

1

7

48

Max Yaremchuk

@0xw2w

2 years

I think I just sent my most extensive report up to date. It's 9k chars long and contains 15 reproduction steps. I imagine it will be quite a task for a @Hacker0x01 triager to reproduce that one 😭

2

0

48

Max Yaremchuk

@0xw2w

1 month

The first bug bounty program to introduce bonuses for writing @pdnuclei templates to help detect a bug. Personally, I tend to attach Python reproduction scripts so the triage will confirm the bug faster, and I'm glad to see this movement. Hopefully, more programs will join!

6

4

49

Max Yaremchuk

@0xw2w

4 years

yeah boii

6

2

48

Max Yaremchuk

@0xw2w

5 years

Sweet creds 😋 latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance latest/meta-data/public-keys/0/openssh-key #ssrf

0

12

45

Max Yaremchuk

@0xw2w

4 years

I got a swag from German company @MediaSaturn and Ukrainian @the_prozorro . These pieces of swag are nice and creative, it’s probably the best swags I’ve ever received on #bugbounty ! Thanks for sending them!

2

45

Max Yaremchuk

@0xw2w

6 years

Pretty good end of the night :) #TogetherWeHitHarder

2

0

43

Max Yaremchuk

@0xw2w

8 months

"HACKING CLOUDFLARE PAGES PART 2"

0

8

45

Max Yaremchuk

@0xw2w

2 years

Yay, I got a 20% bonus on top of a bounty, retest fee, and swag for submitting the TOTP MFA bypass on @Hacker0x01 🎉

1

0

42

Max Yaremchuk

@0xw2w

7 months

zseano

@zseano

7 months

@SchizoDuckie coca cola program is funny too. although i guess you could technically sell the discount codes for $$$

6

1

29

5

42

Max Yaremchuk

@0xw2w

4 years

Slack raised bounty amounts so now no one will yell about the low payout for client-side rces (probably :D)

0

41

Max Yaremchuk

@0xw2w

1 month

1

42

Max Yaremchuk

@0xw2w

8 months

Retest for a random adult BB program ($200) vs retest for a BB program owned by multi-billion-dollar corporation Spotify (asking for a free retest)

7

0

42

Max Yaremchuk

@0xw2w

4 years

Here is a detailed instruction on fetching all non-VDP companies' subdomains from @pdiscoveryio chaos: . It's >150 MB. On the last step, my laptop almost exploded 😄

GitHub - w9w/chaos-hacks

Contribute to w9w/chaos-hacks development by creating an account on GitHub.

github.com

2

13

41

Max Yaremchuk

@0xw2w

2 months

5

1

41

Max Yaremchuk

@0xw2w

1 year

0

5

39