Hello Everyone,

Who was i ?

In 2013 I started take interest in Bug Bounty or you can call Beg Bounty (I’m not pointing it to Nakul πŸ˜€ ), anyway In starting i also report bug like OPTION Method, Weak Ciphers, Secure Cookie or blah blah blah. πŸ™‚ that’s was my start to take my steps in Information Security. but then something strange happen, i meet some LEET (friends)Β  πŸ˜€ who gave me real understanding about information security and i forgetΒ about all sh**y bugs which I’ve reported and i am ashamed of πŸ˜€ but this is not ends here. πŸ™‚

Who i am now ?

After learning deep into Information Security with the help of OWASP, Google, Friends, YouTube. OWASP is too good to take your first step in Information Security and their OWASP Guide V4 is just awesome. I start taking interest in Networking, Web Application, Exploit Development and my favorite Radio Frequencies. Now i provide Penetration Testing service to private companies and they are better than others πŸ˜€

Bug Bounty Future ?

Many of you will not agree with this but everyone got a different point of view. So first thing i want to clear that there’s a lot of difference in Bug Bounty Program and Bug Β Bounty Platform, platform like Bugcrowd, Hackerone, Cobalt, Vulbox and I love these platforms. but bounty programs don’t treat well with the researcher. there are two types of people who report vulnerability, people like me NOOB(startups) and professional so now the problem is if NOOB find a vulnerability and don’t know how to write report and he just copy paste the information from the OWASP which is right to do if so. but program manager sees the report as vulnerability scanner report and they just mark the report as WONT FIX or N/A but when the same vulnerability reported by some professional researcher with man-made report they give him a green flag. I tried the same thing with the program (i don’t want to mention the name), i reported same vulnerability with two different accounts, one with copy paste report and one with man-made report and guess what who get the reward, ah you know πŸ™‚ I just want to tell them that give a chance to them and tell how they can improve their skills and if you didn’t do this then i’m afraid there is no future for you guys.

Live Example :-

This is what happened to me, i reported a bug to Heroku something related to their Coldfusion Admin Panel, they fixed the bug and close my report as Not Applicable.
Here’s some screenshots of the bug.


Information Disclosure


Solr Admin Panel


Exceptions Logs



Server Cores


Information Disclosure


Thread Dump


Information Disclosure


Information Disclosure


Information Disclosure

Reported this bug a year ago and in disclosure policy we can disclose a bug after 90 Days.


Ch. Muhammad Osama


Categories: Article

Choudhary Muhammad Osama

This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.


Shehu Awwal · January 8, 2016 at 3:10 pm

Thanks for the writeup, I won’t participate in Bug Bounty again until I have deep knowledge about Security, Thanks brother

Arsalan Ali · January 9, 2016 at 2:00 pm

Great Website bro i love it sir make some tut about XSS attack

    Ch Muhammad Osama · January 9, 2016 at 2:03 pm

    thanks πŸ™‚ i’ll make some tutorial soon πŸ˜€

Farid Hayat · January 10, 2016 at 12:03 pm

Great work … It is really goes clear to noob and awesome explaination .

    Ch Muhammad Osama · January 10, 2016 at 12:12 pm

    thanks πŸ™‚

Jay patel · January 10, 2016 at 11:59 pm

Nice work sir , i am also beginner in this field and i did same thing what you wrote , but sir here i have one question , i also report vul in my own language but some time i got n/a i know this is bug and they gone fix its but they close it they say plz we cant understand that what you are going to explain many time i got problem , so can you give me any suggestion for that what i need to do that.

    Ch Muhammad Osama · January 11, 2016 at 6:33 pm

    well i know the pain πŸ™ and there’s nothing i can do with this but you can public the report after 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.