Real bug bounty submissions — vulnerability research, exploitation methodology, and proof-of-concept writeups from coordinated disclosure programs. Every report reflects actual hands-on testing under authorized program scope.
VIEW REPORTS ↓public-api.wordpress.com — the server reflects any attacker-controlled Origin header with Access-Control-Allow-Credentials: true across the entire /wpcom/v2/ API path, allowing a malicious site to make authenticated requests on behalf of any logged-in user. Full writeup covers subdomain enumeration at scale (16K+), Subzy/Corsy triage, authenticated PoC requests, IDOR testing, and source-level review of Jetpack/WooCommerce security commits. Report #3786821 — submitted to HackerOne, awaiting triage.