BIPI
BIPI

Avoiding Duplicates: Timing, Recon Edge, and Reading the Hacktivity Tea Leaves

Cybersecurity

Duplicates kill hours and dent your Signal. Learn the timing windows, recon edges, and hacktivity signals that separate hunters who get paid from hunters who get the Dup tag and move on.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 5, 2023 · 8 min read

#duplicates#recon#bug-bounty#timing#hacktivity

Duplicates are a research failure

A duplicate is not bad luck, it is a sign you hunted where everyone else hunted, with the tools everyone else uses, at the time everyone else hunts. The fix is to change at least one of those three.

Timing windows that matter

  • New program launch, the first forty eight hours are a duplicate bloodbath.
  • Scope expansion, the first week after a new asset is added is hot but crowded.
  • Acquisition merge, when an acquired company is added to scope is gold for a small window.
  • Quiet Sunday morning, when most hunters are not active, can win race conditions on triage queue.

Recon edge, what actually works

  1. Custom wordlists built from the target's own JavaScript and documentation.
  2. Historical certificate transparency data, not just current subdomains.
  3. Internal tooling that nobody else has, even a small advantage compounds.
  4. Deep authenticated recon, after creating multiple test accounts in the target.
  5. Mobile and desktop app endpoints that web only hunters never see.

Reading hacktivity tea leaves

Public hacktivity disclosures tell you what the program has already paid for. If a category has been resolved in the last sixty days, expect a duplicate. If the program has paid for IDOR three times this quarter, the obvious IDOR you just found is probably the fourth report this week.

When to submit immediately

  • Critical impact, where every hour of delay risks weaponization disclosure.
  • Time bound bugs, like a misconfigured cache that may be fixed in a deploy.
  • Findings tied to a known CVE that just dropped, where many hunters will race.

When to delay submission

  • Friday evening, where triage will not see it until Monday and Signal can wait.
  • When you can extend the chain by another bug, increasing severity and uniqueness.
  • When the program is paused or under known triage backlog.

Duplicate prevention checklist

  1. Search the program hacktivity for similar categories in the past one hundred eighty days.
  2. Search public CVE databases for the target's software stack.
  3. Search GitHub for the target's open issues, where bugs are sometimes pre-disclosed.
  4. Confirm the bug is not in a known third party component already disclosed.
  5. Check if the bug class is in the program's known issues or out of scope list.
The bug is not yours until the report is submitted. Until then, half the platform is racing you.

What to do when you eat a duplicate

Read the original report if disclosed. If their report is weaker than yours, request collaboration credit, some programs allow it. If their report is stronger, learn the angle they took and adjust your hunting style. Either way, do not argue, the dup tag is final on most platforms.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.