Hey I got a quick newbie question for y’alls: I’ve recently taken up bug bounties (even for programmes or assets that are not eligible for payment) and found vulnerabilities in assets that have been previously discovered by other security engineers. Like for example, I found a reflective XSS vulnerability on one organisation’s website, and another critical bug for another organisation. But another researcher beat me to it 
Like the title of this thread suggests, do duplicate reports where I have discovered vulnerabilities on assets that have been previously discovered by others? Could this be valuable for personal growth, or for contributing to the community in making life harder for malicious hackers?
Sorry if this is a silly question. I am a newbie and eager to hear your thoughts and opinions!
seems to me that if the report is truly a duplicate, then you’re on the right track… you have a legit submission, someone beat you to it.
I guess the next question I’d ask… are they taking into account “how” you got to the answer. you might submit a method that is different than the original ticket. That does require them to review the ticket and your methods.
3 Likes
seems to me that if the report is truly a duplicate, then you’re on the right track… you have a legit submission, someone beat you to it.
yeah lol at least I’m not submitting low quality reports 
I do write proof-of-concepts in Python for demonstrating the existence of a bug (like, for example, using Python’s requests module to make HTTP requests with the payload in them & then inspecting the returned HTML for evidence of the payload). idk if other folk do that, from my experience reading disclosed reports, it’s not that common (but that’s just my casual experience 
).
Dupes are definitely valuable, especially when you’re starting out. Except for the fact that it’s a validation that you’re on the right track, as @BrBr.Prime said, it’s also good to add to your portfolio. Regardless of the payout, you found a bug in a real-world system that affects real people!
You can definitely do a writeup on these findings to show your growth and knowledge, As long as you don’t hunt for money exclusively, a bug is a bug 