Vulnerability Scammers List

This post documents my negative experience with the servers.guru vulnerability disclosure / bug bounty process. I am writing this publicly because private communication led nowhere, and I believe security researchers deserve honesty and transparency.     The Short Version I submitted two legitimate security vulnerabilities Both had real-world impact Both were clearly explained with reproduction steps No payment was made No convincing technical justification was given You can decide what that says about the program. Vulnerability #1: OTP Reuse (Authentication Broken) Category: Authentication / Logic Flaw Severity: High servers.guru implemented OTP in a way that defeats the entire purpose of OTP . What Was Wrong The same OTP could be reused multiple times instead of being invalidated after first use. This is not a “best practice” issue. This is OTP 101 . Why This Matters OTPs are meant to be one-time Reuse allows replay attacks Any intercepte...

  As someone deeply invested in cybersecurity, I recently discovered a serious security vulnerability in YourCryptoPal, a platform that claims to prioritize user safety. Following responsible disclosure practices, I reported the issue to them, expecting a professional response and acknowledgment.     Dismissal and Accusation – Instead of thanking me for responsibly reporting a potential threat, the team at YourCryptoPal accused me of being a scammer . This was not only unprofessional but deeply insulting. Failure to Compensate – Many platforms offer bug bounties or rewards to incentivize responsible disclosure. Despite my clear report and evidence, they did not pay the promised reward . Lack of Accountability – I reached out multiple times, seeking clarification and resolution, but received no constructive response . Why Responsible Disclosure Matters Reporting security vulnerabilities is critical for the safety of all users. When platforms ignore, insult...

  Responsible disclosure met with intimidation. I’m sharing my timeline and proof so researchers and customers can judge for themselves. TL;DR On  October 19, 2025 - 8:13 AM PST  I responsibly reported a stored XSS (HTML) vulnerability to SurvivalServers ( https://www.survivalservers.com ).Their team fixed the issue, but refused to pay the bounty I requested. I later received a message from the company’s CEO, Ryan Pennington (screenshot attached), which I found threatening and inappropriate. I am publishing my timeline and evidence so the security community and potential customers can decide how to respond.       My timeline   I discovered a stored XSS (HTML) vulnerability affecting [short description of the component: e.g., “user profile comments” or “server description field” — do not include exploit code here].  I reported the issue to SurvivalServers via support following responsible disclosure practices. I included repro...

  A Warning After Racist Insults and Unprofessional Behavior  I’ve worked with many bug-bounty programs, but nothing prepared me for the absolute disrespect I faced with PrivateAlps.net .   Domain :   https://privatealps.net/ I’m writing this to share MY personal experience , exactly how things happened from my side , because no researcher should ever be treated like this.         What Happened I reported real vulnerabilities. I put in the time, the effort, and the skill. They paid me $210 for one of the reports — fine. But when it came to the larger report, worth far more than $1,000 by standard industry value, everything went downhill. And then comes the part that still disgusts me: In my experience, their communication included racist insults. According to what I personally received from them, I was told things along the lines of: “Go f*** yourself, you Indian.”       This is not just unprofessional —   it’...