tl;dr in this blog post I am going to talk about some bug bounty left over with a little rant. Here you can find bug bounty left over part I and II Here you can find bug bounty rant part I and II Introduction In one of my previous post I was saying that: "The rule #1 of any bug hunter... is to have a good RSS feed list." Well well well allow me in this post to state rule #2 (IMHO) "The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with left over" aka even if the most experience bug hunter was there (and it definitely was my case here, given the fact we are talking about no one less than filedescriptor ) do not assume that all the vulnerabilities have been found! So if you want some examples here we go. Part I - Google I have the privilege to receive from time to time Google Vulnerability Research Grant . One of the last I received had many target options to choose from, but one in particular caught my