Bug hunter earns $12,500 in one month exploiting forgotten subdomain DNS records

·1 views

A security researcher reported earning $12,500 across two bug bounty payouts in a single month in 2026 by exploiting dangling CNAME records — DNS entries pointing to deprovisioned third-party services. Despite subdomain takeover being widely considered a solved or low-priority problem since 2021, the researcher found that many known vulnerable subdomains remained unpatched for over a year. The methodology involves automated recon pipelines scanning roughly 1.2 million domains in under an hour using tools like subfinder, dnsx, httpx, and nuclei. Standard vulnerability templates were found to miss several categories of at-risk services, including newer SaaS platforms, acquired services with orphaned CNAMEs, and custom CDN configurations. The researcher argues that 'low-severity' classifications on such findings do not necessarily translate to low financial rewards in bug bounty programs.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Why AI Agent Limits Are a Chance to Sharpen Your Engineering Skills

Running multiple AI agents simultaneously can feel powerful, but users quickly encounter hard limits in the form of token quotas, costs, and wait times that halt progress entirely. When agents go idle, developers are left with idle time that the author argues is better spent on reflection than on reflexively buying more tokens. The article draws a parallel between mentoring junior human colleagues and actively reviewing and questioning the decisions made by AI agents, treating the interaction as a two-way learning process. Engaging critically with an agent's output — asking it to explain its reasoning — is presented as a practical way to build the deeper engineering mindset that makes someone a more effective AI collaborator. The core message is that human judgment, skill-building, and deliberate review remain the most efficient optimizers of time, money, and token usage.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

How to Build a Production-Grade Authentication System Using NestJS

A developer has shared a guide on constructing a robust, production-ready authentication system using the NestJS framework. The project covers key security practices essential for real-world applications. The accompanying source code has been made publicly available on GitHub for developers to reference and use. The repository, hosted under the username PeaceMelodi, is titled 'secure-authentication-api'. The resource targets developers looking to implement reliable authentication in their NestJS projects.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Solo founders should choose alert tools based on required action, not habit

A solo SaaS founder initially defaulted to Slack for real-time alerts due to familiarity from past jobs. After reconsidering, they adopted a new mental model: the right notification tool should be chosen based on what action the alert will trigger, not personal preference. The key principle they settled on is that if you cannot define a clear action to take after receiving a notification, it does not need to be real-time. The founder also noted that a daily digest is often more informative than dozens of individual pings throughout the day. They are still implementing this approach for their own SaaS but consider the framework itself well established.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Builds PocketDex Tracker to Manage Pokemon TCG Pocket Collections

A developer has released PocketDex Tracker, a web app designed to help Pokemon TCG Pocket players manage and track their card collections. Built with Next.js App Router, React 19, and Supabase, the app lets users mark cards as owned or missing, monitor set completion progress, and search by name, rarity, or type. Supabase handles authentication and a Postgres database with row-level security, ensuring each user's collection data remains private. The app also features a pack recommendation engine that calculates expected pull odds based on cards a user still needs. The project is live on Vercel and open-sourced on GitHub under the repository mwiginton/pocketdex-tracker.

0 comments Read more at DEV Community