Just spent wayyyy too much time reporting a stored XSS that doesn’t have much impact (admin targets lower-privileged users), almost 2 hours of writing it up 😅 It was an interesting one though, had fun exploiting it nonetheless! Just too bad for the CVSS score with PR:H!

The first stage of bug hunting is recon. The first stage of recon is... subdomains? Not always. Jasmin Landry prefers a small scope and focuses on single applications instead. Here's his unique 11 step approach to recon👇

Jasmin Landry For more details on Jasmin Landry's unique approach to bug hunting, read his LevelUp write-up: "How to find better bugs" 👇 bugcrowd.com/resources/leve…

Always fun reporting crits on a Friday afternoon 😅

Super excited and proud to announce I’ll be running the official Bug Bounty Village at @DEFCON alongside Harley Kimball for the first time! Follow @BugBountyDefcon for updates and join us in shaping the future of Bug bounty. Please help us with a RT #BugBountyVillage #DEFCON

19 questions Jasmin Landry asks himself when looking through requests in order to identify and document potential vulnerabilities: 1. What methods of authentication are supported?

My son watching something on YouTube and he’s like “Dad, the guy in the third picture looks like you” 😂😂

This made me remember an ATO bug I found a few years ago. The app used perl's crypt function as the token generator for password resets, here's the docs for it perldoc.perl.org/functions/crypt. You'll quickly notice the problem with it 😂 Or I guess the real problem was that the app was

"What keeps me on programs is the interaction with the people. Good communication, access to unique scopes, setting campaigns with increased payment for findings, getting a real person on reports rather than a bot." Hacker Jasmin Landry chatted with #SecurityAt attendees on some

🔥 Looking forward to next round! 🇨🇦#TeamCanada

They still exist 😱 #bugbounty

When you spend that extra time looking at JS code related to the app's auth flow and see this 🤦‍♂️

116 total reports, including 19 criticals! Let’s hope those numbers improve in 2025 as I’ll be doing bug bounty full time! hackerone.com/stories-of-202… Justin Gardner looks like I’ll be roaming around in the savanna with you 🦁

Really a fun bug to work on! Here’s what our day looked like 😂

.Caido and HackerOne are collaborating on a plugin that streamlines the H1 submission process. We’re envisioning a plugin that gives a simple UI to combine evidence that serves as the foundation of a report and removes most of the writing burden. Link in the comments.

New video out with Jasmin Landry! We break down an SSRF bypass against a validation pattern you’ll definitely see again — and show how to land critical without cloud metadata. Enjoy🔥 youtu.be/uoKMhb6juSo

Pretty excited to be doing a talk at NahamCon this year!

Day 2 is packed with some 🔥 talks! Check out the entire schedule on NahamCon.com! Remember this is 100% free, no tickets or anything needed. Just show up and watch the talks!

I'm giving a workshop on Caido at NorthSec in Montreal next week! Be sure to check it out if you're in town!

In this episode, Jasmin Landry breaks down how he consistently lands highs and crits - from SSRFs to less common bugs like XXEs and SQLis. Enjoy🔥 youtu.be/0-o3_NumvbI