BugUnstuck

Trusted extra eyes for stuck bug bounty findings

Live Signal
Private collaboration for hunters

Get trusted extra eyes on bugs you can't finish alone.

BugUnstuck helps bug bounty hunters post masked requests, attract the right specialists, agree on split expectations, and turn half-proven bugs into valid impact.

5Open collaboration requests
2Hunters joined
0Interests expressed
10Vulnerability categories
5 requests found

Stored XSS in patient field - need practitioner-side confirmation

XSSYesWeHackYesWeHackstored-xsshealthcarecross-contextpractitionerOpen

Healthcare platform. I can store arbitrary HTML/JS in the patient address field via direct API call. The payload persists and is visible in booking confirmations. The critical question: does it fire when a doctor views the patient record on the practitioner portal? I do not have a practitioner account to test. If XSS executes in the doctor context, this is a high-impact stored XSS affecting medical staff. Need someone with a test practitioner account on this platform (or experience setting one up) to verify the render path. DM @BugUnstuck on Twitter.

by s3nt1n3l1h ago60/100 confidence
View

Privilege escalation via TOTP - need full chain PoC completion

Auth BypassBugcrowdBugcrowdprivilege-escalationrbactotpfull-chainOpen

Restaurant management SaaS. I discovered that a low-privilege role (waiter) can call the generateTotp endpoint intended for admin actions. The TOTP is sent to the waiter email. The createUser endpoint also lacks RBAC - if you supply a valid TOTP, you can create admin-level accounts. Steps 1-2 are proven (generateTotp succeeds, schema is documented). Step 3 (createUser with the received TOTP to mint an admin) needs a clean end-to-end PoC. The program is assessing but I think a polished full-chain recording would seal it. Need someone who has done RBAC/privilege escalation chains before. DM @BugUnstuck on Twitter.

by s3nt1n3l1h ago70/100 confidence
View

SSRF chain via dangling DNS - need internal network proof

SSRFHackerOneHackerOnessrfdangling-dnsinternal-networkjs-executionOpen

I have a 3-stage SSRF chain on a major social media platform: (1) analytics subdomain has a dangling DNS reference to an expired domain, (2) I can serve a redirect from that domain, (3) the platform renderer fetches and executes the redirected content. JS execution is confirmed from multiple IPs. Internal DNS names resolve from the renderer context but not publicly. The program uses an internal SSRF validation tool (canary endpoint) that I have not been able to trigger yet. My addendum shows internal DNS resolution and port-scan timing differentials, but the triager wants the canary hit. Need someone who has experience proving internal network access through SSRF chains - specifically bypassing allowlist-based SSRF detection. DM @BugUnstuck on Twitter.

by s3nt1n3l1h ago75/100 confidence
View

BOLA on E2E encryption group records - need impact beyond enumeration

IDORYesWeHackYesWeHackbolaidore2e-encryptiontanker-sdkOpen

Healthcare platform with end-to-end encryption (Tanker SDK). I can enumerate encryption group identifiers for other patients and doctor agendas by iterating the subject_id parameter. Cross-boundary access (patient can reach practitioner records) is confirmed. The weak spot: I cannot yet show how possessing a tanker_group_identifier leads to actual document decryption or content access. Registration POST returns 500. Need someone familiar with Tanker SDK internals or E2E encryption group semantics to help map the path from group ID enumeration to actual data exposure. DM @BugUnstuck on Twitter.

by s3nt1n3l1h ago65/100 confidence
View

IDOR on IoT device endpoints - impact escalation help

IDORBugcrowdBugcrowdidoriotserial-enumhome-securityOpen

Home security IoT platform. Authenticated users can query monitoring status of arbitrary base stations by serial number - no ownership verification. A secondary endpoint (wifiCredentials) returns 500 when called with foreign serials, suggesting a crashed authorization check. The IDOR is clean and reproducible. What I need: (1) someone to help frame the physical security impact (serial-to-address mapping possibility), (2) determine if the wifiCredentials crash is exploitable beyond DoS, (3) tighten the severity argument for the triager. Currently P3 under review. DM @BugUnstuck on Twitter.

by s3nt1n3l1h ago85/100 confidence
View