Security researcher discovered a local file inclusion (LFI) vulnerability on Google's springboard.google.com by first identifying an authorization bypass through directory enumeration with wfuzz, then escalating it to read arbitrary files like /proc/self/environ on production servers with admin privileges. The initial auth bypass was rejected for reward, but the escalated LFI earned a $13,337 bounty after two months of coordination with Google's VRP program.
A beginner bug bounty hunter discovered a Self-XSS vulnerability in Amazon's developer.amazon.com where Security Profile names were reflected in source code, which they escalated to a logout CSRF issue. The vulnerability was reported, triaged, and fixed within a week, though no monetary reward was offered per Amazon's policy.
Technical writeup on bypassing uppercase character filters in URL-based XSS vulnerabilities using JSFuck obfuscation techniques. The authors demonstrate constructing a complete alphabet from JavaScript primitive values and achieving arbitrary code execution with jQuery's getScript to escalate a Low severity XSS to Critical by loading external malicious scripts.