🎯 TARGET PROGRAMS — OPTIMAL FOR KAY loading...
📌 CURATED ANALYSIS
$500 – $50,000+ · Critical up to $100K reported
Large attack surface. Cloud-heavy infrastructure. Rails + AWS + GCP. OAuth/SSO flows. Merchant/partner APIs. Admin privilege separation. Strong triage team, fast responses, fair payouts. One of the best-run programs on H1.
Kay match
Cloud/AWS
OAuth/SSO
IDOR
Privilege Escalation
$300 – $33,500 · DevOps platform, open source = full code review possible
Large scope, developer-friendly triage. CI/CD pipeline abuse (secrets in pipelines, runner privilege escalation). RBAC bypass. Repository exposure. Supply chain vectors. Open source = you can read the code before testing.
Kay match
RBAC/AuthZ
Pipeline abuse
Open source
$200 – $25,000 · Infrastructure-focused, respects security professionals
Network/infrastructure layer. CDN bypass, Workers security model, Access (Zero Trust) misconfigs, DNS manipulation, tunnel security. Infrastructure expertise directly applicable. Cloudflare respects CISSP-level researchers.
Kay match
Zero Trust
DNS
CDN bypass
💳
PayPal / Braintree
PUBLIC
$150 – $30,000 · Financial services — CISSP background ideal
Payment processing infrastructure. Auth flows, transaction integrity, account takeover, business logic (payment bypass), API key exposure. Kay's financial services background (TD, Westpac, Toyota Finance) directly applicable — understands the business logic.
Kay match
Financial logic
Payment bypass
Career match
🏥
Healthcare/Health IT programs
PUBLIC
$500 – $50,000 · HIPAA/AU health regs = high-severity context
Kay's BioMed background (QLD Health) + CISSP = rare combination. PHI exposure is always critical. Auth failures in health portals, HL7/FHIR API misconfigurations, patient data isolation failures. Most hunters do not understand health data context — Kay does.
Kay match
PHI/HIPAA
BioMed background
HL7/FHIR
🏦
Major AU/CA Banks (private invite path)
PRIVATE TARGET
$1,000 – $100,000+ · Private programs, invitation after public track record
TD Bank, CBA, Westpac, ANZ all have H1 programs (some private). Kay's career at TD + Westpac = institutional knowledge of their tech stack. Private invitations follow public reputation building. 3-5 valid public findings → invite to private bank programs.
Kay match
Private
Career overlap
High payout
🔬 METHODOLOGY — THE H1 FLOOR SYSTEM
FLOOR 1 · SCOPE FLOOR
Read the policy three times. Never submit outside scope.
Every closed-as-OOS submission damages reputation score. Every report must cite the exact in-scope asset. "I found this while testing X" for an OOS asset = immediate close. Read the VDP before reading the application.
STE: scope verification gate before any testing begins
FLOOR 2 · DUPLICATE FLOOR
If it is obvious, 50 others found it. Hunt in the corners.
XSS on the main search bar. SQLi on the login page. These are found and fixed or triaged in the first week of any program. The valuable findings are in API endpoints no one reads, legacy features, third-party integrations, and mobile app internals.
STE: novelty scoring — if it takes <5 min to find, assume duplicate
FLOOR 3 · REPORT QUALITY FLOOR
The report IS the product. Write it like Cochran.
Clear title → exact reproduction steps → proof of impact → suggested remediation. No ambiguity. No "maybe this could be used to...". Show the impact concretely. Triage teams are humans — a clear, human report gets triaged in hours, not weeks.
STE: Sorry Flow template for vulnerability reports (same structure as breach notifications)
FLOOR 4 · REPUTATION FLOOR
Protect the H1 reputation score. It is the key to private programs.
H1 reputation score governs invitation to private programs. Informative and duplicate reports reduce score. Valid + resolved reports increase it. Every submission decision is a reputation decision. Do not submit if you are not confident.
STE: confidence gate — minimum 80% confidence before submission
FLOOR 5 · CLOUD FLOOR
Kay sees what most hunters cannot: the cloud layer beneath the app.
IAM misconfigurations. Overly permissive S3 buckets. EC2 metadata endpoint SSRF → credential theft. Azure managed identity abuse. Most hunters test the web app and stop. Kay tests the cloud infrastructure the app runs on. This is the differentiated finding category.
STE: cloud posture module — AWS + Azure misconfiguration patterns from CISSP + SA + Expert knowledge
🔧 METHODOLOGY SEQUENCE
1
Reconnaissance
Subdomain enumeration (subfinder, amass). Cloud asset discovery (S3 buckets, Azure blobs, GCP buckets). JavaScript analysis (LinkFinder, JSParser — API keys, endpoints). Certificate transparency (crt.sh).
Tools: subfinder · amass · gau · waybackurls · crt.sh · shodan
2
Cloud + IAM Analysis
Check every AWS/Azure asset for public exposure. Test IAM permission boundaries. Look for metadata endpoint access via SSRF. Check for overly permissive roles. This is Kay's α zone — AWS SA + Azure Expert.
Tools: ScoutSuite · Prowler · aws-cli · az-cli · pacu (AWS exploitation)
3
Auth + SSO Flow Testing
OAuth flow analysis (state parameter, redirect_uri manipulation, token leakage). SAML assertion manipulation. MFA bypass patterns. Password reset flow integrity. JWT algorithm confusion (RS256→HS256).
Tools: Burp Suite · SAML Raider · jwt_tool · OAuth analyser
4
Business Logic + IDOR
API endpoint enumeration. Object-level authorisation testing (IDOR — access other users' objects by changing IDs). Role escalation (can a user role access admin endpoints?). Price/quantity manipulation. Transaction integrity.
Tools: Burp Suite Intruder · ffuf · custom scripts
5
SSRF + Internal Pivot
Server-Side Request Forgery targeting internal services, cloud metadata endpoints (169.254.169.254 AWS · 169.254.169.254 Azure · metadata.google.internal GCP). Internal network scanning via SSRF. Webhook URL testing.
Tools: ssrfmap · interactsh · Burp Collaborator
⚖️ GOAT ANALYSIS · CASE-021
⚖️ CASE-021 in Courts → Advisory · 74/100
🧠
Alan — Logic + Methodology
First principles · edge cases · invariant structure
78/100
The floor of bug bounty success is reproducible methodology, not luck. Three permanent floors: scope floor, duplicate floor, signal-to-noise floor. Kay's structural advantages: CISSP lens sees the full taxonomy. AWS SA + Azure Expert sees the cloud layer beneath the app. 20yr career = threat modelling intuition that no tool replaces. Optimal target: large cloud-heavy programs in financial services + healthcare. Methodology sequence: recon → IAM → auth → logic → SSRF.
⚔️
Harvey — Market + Commercial
Negotiation · private program strategy
72/100
The real money is in private programs. 2-5x payouts, 10-50 competitors vs. thousands. Path to private invites: 3-5 valid public findings → H1 reputation builds → private invitations arrive. Make the H1 profile visible — CISSP, AWS, Azure specialisation should be explicit. Target programs that lead to private invites: Shopify, GitLab, Cloudflare. Then the private bank programs Kay has career overlap with.
📡
Erin — Public Interest
Public harm · systemic protection
71/100
Every valid H1 finding protects real people. Prioritise healthcare, financial services, critical infrastructure — Atmos's exact client base. Every finding Kay reports is intelligence for the CASE-010 Sorry Floor docket. Real breach events through responsible disclosure demonstrate why notification quality matters. Kay's work and Atmos's work are the same work from different angles.
🔌 H1 API — PROGRAM DISCOVERY
curl -s --user "kay_j_j:$H1_TOKEN" \
"https://api.hackerone.com/v1/hackers/programs" \
-H "Accept: application/json" | \
python3 -c "
import sys,json
d=json.load(sys.stdin)
for p in d.get('data',[]):
a = p.get('attributes',{})
print(a.get('handle'), '-',
a.get('submission_state'),
'- min:', a.get('min_bounty_table','?'))
" | head -20
# Check your reputation + stats
curl -s --user "kay_j_j:$H1_TOKEN" \
"https://api.hackerone.com/v1/users/kay_j_j" \
-H "Accept: application/json" | \
python3 -c "
import sys,json
d=json.load(sys.stdin)
a=d.get('data',{}).get('attributes',{})
print('rep:',a.get('reputation'))
print('signal:',a.get('signal'))
print('impact:',a.get('impact'))
print('reports:',a.get('resolved_report_count'))
"
🔗 SECURITY DOMAIN MAP