Bug Bounty Reference



A list of bug bounty write-up that is categorized by the bug nature, this is inspired by



I have been reading for Bug Bounty write-ups for a few months, I found it extremely useful to read relevant write-up when I found a certain type of vulnerability that I have no idea how to exploit. Let say you found a RPO (Relativce Path Overwrite) in a website, but you have no idea how should you exploit that, then the perfect place to go would be here. Or you have found your customer is using oauth mechanism but you have no idea how should we test it, the other perfect place to go would be here

My intention is to make a full and complete list of common vulnerability that are publicly disclosed bug bounty write-up, and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit pull request. Okay, enough for chit-chatting, let’s get started.

Cross-Site Scripting (XSS)

Brute Force

SQL Injection

Stealing Access Token

Google oauth bypass


Remote Code Execution


Image Tragick

Direct Object Reference (IDOR)


Unrestricted File Upload

Server Side Request Forgery (SSRF)

Race Condition

Business Logic Flaw

Authentication Bypass

HTTP Header Injection

Subdomain Takeover


Email Related

Money Stealing

2017 Local File Inclusion


The bug bounty is a github repository by Ron Chan