Mistakes Learned From Reports Rejections

Mistakes Learned From Reports Rejections | by d0natel00(KiroMoheb) - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Mistakes Learned From Reports Rejections The Dark Side of Bug bounty Hunting d0natel00(KiroMoheb) Follow ~3 min read · March 23, 2026 (Updated: March 24, 2026) · Free: Yes Reality Hello Friend, This Write-up is Not a Technical One But It's Improving One if You are a Bug Hunter . I Think You Submitted A lot of Reports Few Gets Resolved or Even None and The Other Fall Into (N/A, Informative, Duplicates) There is No Shame in That, We All Passed This Disappointing Experience . I'll Tell You the Mistakes I've Learned From Rejections So We Can Get Fewer Rejections ! (There is No Magic Recipe) You Must Memorize Those Ineligible Bugs From Your Heart : https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings 1. Best Practices Are Rejected : Best Practices Are Important, But They are not For Companies Actually, Companies Don't Care About Best Practices Like: Missing Security Headers, User Enumeration Vulnerabilities, etc . They Care About Two Things : Data Attacker Can Steal Actions Attacker Can Perform I Know That the Missing HTTPOnly Flag is Important in the Cookie Header and If the Attacker Got an XSS He Can Exploit That, But For Sorry Companies Don't Care . 2. Low Hanging Fruit Already Reported : (Crowd Effect) Easy Findings Are Already Reported, You Will Get Duplicates Easy Bugs, Are Reported Before You Do Like Subdomain Takeovers, Directory Listing Directories. Things That Any Hunter Will Find By Just Good Recon . There are Another Hunters Ran the Same Tools and Reported the Bug Before You ! 3. Bugs With Imaginary Exploitation : Valid Bug, But Hard or Impossible Exploitation There is a Valid One, But the Exploitation of it ; Is Likely Impossible or Hard To Do . Bug Exists & Math is True , But I Forgot That the Code Expires After a Short Time ! End of Conversation 4. Out of Scope Trap : Check the Scope First, Before Get Your Hands on Testing You See For Example a Domain Wild Card: *.example.com , You Start Recon and Enumerating Subdomains . You Are Travelling From a Subdomain To Another Until You Found a Bug on a Subdomain . You Reported the Valid Bug, But in the Scope Section You Didn't Scroll to the End of it and Saw That vulnerable.example.com is Out of Scope ! [+] For this, I Always Take a Note About Out of Scope Domains in My Text Editor ! 5. Information Exposures With Not Important Data : Info Exposures, Of Public or Not Sensitive Data Even, This is Important and One CVE From One Plugin Can Cause Big Security Risks or Directory Listing of Public Data That in the Future if the Devs Stored Important Backups or Sensitive Data on It Can be Damaging, Triages Don't Care About That Type of Data Too . Duplicate, and the Data Presented is Not Important ! [+] Check First is the Data You Found is Public and Can Cause Damage if Exposed , is It Personal ?. Conclusion : Even Elite Bug Hunters Still Fall in Those Mistakes. So, Remember You Will Still Get Rejections But if We Avoided All Mistakes I Just Gave We Will Get Fewer Bad Ones. Goodbye ! #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).