Three public programs

Coordinated disclosure · names withheld per program rules

Cybersecurity / Bug BountyCybersecurityBug bounty — anonymized findings

Coordinated-disclosure findings against three public programs

Found, triaged, and disclosed a small set of vulnerabilities against public bug-bounty programs.

Anonymized real bug-bounty work: a small set of coordinated-disclosure findings filed against three public programs over a few weeks. Findings ranged from auth-flow IDORs to misconfigured S3 buckets. All resolved through proper disclosure channels with researcher credit (under handles, by request).

Source code is yoursRefund if late

Findings · Cybersecurity / Bug Bounty

12 open

CRIT

HIGH

MED

LOW

CRITRCE-9281 · CVSS 1.1

✓ patched

HIGHAuth-9474 · CVSS 1.2

✓ patched

MEDXSS-2491 · CVSS 1.3

✓ patched

LOWInfo-9900 · CVSS 1.4

✓ patched

Industry: Cybersecurity / Bug Bounty
Timeline: 2 weeks
Team: 1
Service: Cybersecurity
Project tier: Bug bounty — anonymized findings

The Problem

What was broken.

Small bug-bounty research session targeting three public programs. The aim was to surface real, reproducible findings with clean writeups — not to inflate any reputation metric.

Our Approach

How we framed it.

Standard recon → triage → reproduction → writeup loop. Every finding documented with the smallest reproducer that demonstrates impact, with a suggested fix.

Capability proof

What this case demonstrates.

This case makes the hidden work visible: strategy, architecture, delivery control, quality evidence, and handoff.

01 / Product judgment

Problem framed before UI

Small bug-bounty research session targeting three public programs. The aim was to surface real, reproducible findings with clean writeups — not to inflate any reputation metric.

02 / Technical depth

5 stack decisions

Burp Suite Pro, ffuf, Custom recon scripts (Go), HackerOne, Markdown (writeups)

03 / Delivery discipline

3 delivery checkpoints

Recon + scoping / Triage + reproduction / Writeups + disclosure

04 / Handoff quality

4 shipped artifacts

Multiple accepted findings across three public programs / Reproducible writeups with minimal proof-of-concept / Suggested fixes shipped alongside each finding

Production artifacts

Inspect the work behind the visible result.

Each case exposes the surfaces, systems, evidence, and handoff package that make the shipped product usable after launch.

Experience layer

Buyer or user surface

UXResponsiveA11y

Disclosure dashboard with CVSS scoring, PoC code blocks, fix timeline, automated retest scheduling.

Proof 01

Found, triaged, and disclosed a small set of vulnerabilities against public bug-bounty programs.

Proof 02

Read every program's scope page carefully. Built a small recon scaffold for the in-scope assets.

Proof 03

Multiple accepted findings across three public programs

Before / after · product UI mockup

Industry · Cybersecurity / Bug Bounty

nessus://scanner-04.local:8834/report

Before

H1 · Triage Queue · 47 reports

Sort: Newest · Filter: state=new · 3 SLA breaches

#9421SQLi in /api/v2/orders?id=P19.8Stale 11d

#9418SSRF · gateway → internal redisP19.1Stale 7d

#9412Stored XSS · profile bio (BBCode)P27.4New

#9405Auth bypass · /admin/?debug=1P18.8Triaging

#9398IDOR · view other org invoicesP26.5Stale 4d

#9394Open redirect · ?next= paramP34.2New

#9391Race · double-spend couponP27.1Triaging

#9388CSP bypass · img-src wildcardP33.8New

Manual workflow: copy report → ticket → repro · paste payload · screenshot · close

disclosure.acme-program.com/H1-9421

After

Disclosure · Acme · #H1-9421

P1 · CriticalBounty $7,500

Title · CVSS 9.8

SQL injection in /api/v2/orders?id= via UNION SELECT

Reported

2026-04-21 14:32

Triaged

+ 4h 12m

Patched

+ 1d 8h

# PoC · curl one-liner

curl 'https://acme.com/api/v2/orders?id=1%20UNION%20SELECT%20null,user(),version()' \

-H 'Cookie: session=...'

→ leaks: postgres@db-prod-01 · 16.2

Timeline

Publish disclosure

Before:Triage queue ran in Linear; reproductions copy-pasted into reports — fix-tracking via Slack DMs.

After:Disclosure dashboard with CVSS scoring, PoC code blocks, fix timeline, automated retest scheduling.

How the engagement ran.

3steps · scroll →

01Day 1-3
Recon + scoping
Read every program's scope page carefully. Built a small recon scaffold for the in-scope assets.
02Day 4-7
Triage + reproduction
Investigated promising leads, discarded most, kept the ones with clear reproducible impact.
03Day 8-14
Writeups + disclosure
Filed findings with minimal reproducers, suggested fixes, and clean repro steps. Stayed available for triage questions.

1
Day 1-3
Recon + scoping
Read every program's scope page carefully. Built a small recon scaffold for the in-scope assets.
2
Day 4-7
Triage + reproduction
Investigated promising leads, discarded most, kept the ones with clear reproducible impact.
3
Day 8-14
Writeups + disclosure
Filed findings with minimal reproducers, suggested fixes, and clean repro steps. Stayed available for triage questions.

Deliverables

What we shipped.

✓Multiple accepted findings across three public programs
✓Reproducible writeups with minimal proof-of-concept
✓Suggested fixes shipped alongside each finding
✓Recon scaffold reusable for future research

Outcomes.

delivered outcomes

Plan: multiple findings accepted across three programs

Plan: severity range: low → high

Plan: each writeup ends with a one-paragraph suggested fix

Plan: coordinated-disclosure timelines respected throughout

Plan: findings can be discussed in detail under NDA

Honest challenges

What we got wrong (or almost wrong).

The pretty version of any case study skips this part. We don't.

01
Most leads aren't real; discipline is in dropping them quickly and not getting attached.
02
Coordinated disclosure means waiting; respect the program's timeline even when a finding is exciting.

In our own words

The discipline of coordinated disclosure is the work — finding the bug is the easy part. A clean writeup with a minimal reproducer and a suggested fix is what earns triage time and program trust over months, not the severity score on day one.

From the Hayaiti team

Engineering · design · security

Technical blueprint

How the work holds together.

Buyers should see that the visual layer is backed by architecture, quality gates, and operational ownership.

Experience

Interfaces, flows, states, accessibility.

Application

Custom recon scripts (Go)

Data

Schema design, storage, data movement, retention.

Operations

Deploy, monitoring, alerts, rollback, runbooks.

Security

Burp Suite Pro

Stack used

5 technologies

Burp Suite ProffufCustom recon scripts (Go)HackerOneMarkdown (writeups)

Other cases like this.

Healthcare

Helix Health

HIPAA-ready intake portal

Replace clipboard intake with a 7-minute, accessible, HIPAA-ready web flow.

GovTech

City of Greendale

Municipal procurement portal

Replace a paper-and-fax vendor onboarding flow with a proper portal.

Cybersecurity / Fintech

Northwind Pay

Pre-SOC 2 pentest + playbook

Surface critical findings ahead of the SOC 2 audit window with a clear remediation plan.

Want a case study like this?

Want this level of production quality on your project?

Send a short brief and we'll reply with scope, timeline, price direction, and the first technical recommendation.

Get a build plan See pricing

Source code is yoursPay 50/50Pause anytime25% refund if lateNDA on day 1

Coordinated-disclosure findings against three public programs

Found, triaged, and disclosed a small set of vulnerabilities against public bug-bounty programs.

Source code is yoursRefund if late