Building @Vulncure ⚡| Helping founders fix vulnerabilities before hackers find them. Talk to me about: Bug Bounties, LLM Security & React.👇 Book a 15-min Demo
Joined June 2017
- Tweets 3,475
- Following 279
- Followers 46,547
- Likes 3,132
913 Photos and videos
Pinned Tweet
5 Dec 2025
We've curated entire API Pentesting Series into a single, auto-updating Notion page.
• All existing parts
• Future parts added automatically
• One link to bookmark
Access the full library here: vulncure.com/api-pentest/api…
ALT Api Pentesting Series ~ Vulncure
5
124
589
28,511
Jun 12
A GraphQL request can look harmless in Burp.
But if it triggers repeated resolver execution, the backend cost can explode.
That’s why the $12,500 DoS report is worth studying.
Small request ≠ small impact.
Read the breakdown: medium.com/@Aacle/how-graphq…
8
41
2,332
Jun 12
Not every packet leaving your browser is data exfiltration.
Saw a funny Reddit post about fake “critical” bug bounty reports.
It was a joke.
But honestly, it points to a real beginner mistake.
1/7 :thread
1
4
1,361
Jun 12
Before submitting, ask:
Can I reproduce it cleanly?
Can I explain it in one sentence?
Can I show attacker impact?
Can I prove this is not normal behavior?
Can the dev fix it without guessing?
If no, the report is not ready.
6/7
1
129
Jun 12
Bug bounty lesson:
Don’t make the bug sound scary.
Make it easy to verify.
A simple, reproducible medium-severity report is better than a dramatic “critical” report with no real impact.
136
Jun 11
$600k in 6 months from one hardened target is wild.
But the bigger lesson:
security gaps rarely look obvious from inside the product.
Fresh eyes deep curiosity still beat checkbox security.
$600k in ONLY 6 MONTHS? Let's chat more about @brutecat's journey hacking one of the most hardened companies in the world!
youtu.be/xZe7bBC17TM
2
83
4,957
Hacking Google with A.I. for $500,000
brutecat.com/r/hacking-googl…
59
500
2,457
321,167
Abhishek Meena 🏵️ retweeted
Did you know I had a 10-part feature series on the Bugcrowd blog back in 2021? The good old days!
I went from $100 (first payout in 2020) to being #1 or #2 on the platform in 2025 for lifetime bounties earned, it was a pretty crazy run and countless hours of work.
But I'm totally burnt-out on all the red-tape and humanity in the process. If you are in the field, stay positive as long as you can, and if you don't have it, develop patience... massive quantities of patience. #bugbounty
And when your patience finally burns out, there's always day trading, still uses the 12345.
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
bugcrowd.com/blog/zwinks-tip…
4
28
249
8,449
Jun 8
A $12,500 HackerOne bounty came from a bug that didn’t steal data.
→ No account takeover.
→ No IDOR.
→ No RCE.
Just one GraphQL request making the server work much harder than it should.
That’s what makes this report worth studying.
1/10
medium.com/@Aacle/how-graphq…
3
25
183
8,889
Jun 8
9/10
I broke down the full report in a beginner-friendly way:
→ what GraphQL aliases are
→ why mutation aliasing can cause DoS
→ how the reporter proved impact
→ why the triager asked for more impact
→ what developers can do to fix it
1
4
329
Jun 8
If you’re learning bug bounty or GraphQL security, read this one slowly.
It’s a good example of how impact comes from thinking about backend cost, not just access control.
Full Medium breakdown here:
medium.com/@Aacle/how-graphq…
4
372