12 Case Studies

Created based on real-world disclosed reports and writeups to find out what payloads work in real-life and not just in a training lab.

$6.7M worth of bounties analyzed

Across all the case studies, I analyzed 1502 disclosed reports that sum up to $6,747,289.75 in bounties.

Databases, payloads, checklists included

Every case study includes the database of reports and some offer even more. For example, the XSS case study comes with a wordlist of vulnerable parameters, and the Account Takeover case study includes a checklist.

Data-driven bug bounty learning

If you're an intermediate or advanced web application hacker, you won't get better in bug bounty in a training lab. It's time to see what works in the world of bug bounty and hunt yourself.

Case studies teach you what really works based on disclosed bug bounty writeups. Each one focuses on a specific bug class. You’ll see how top hackers approach targets, chain bugs, and write reports that get rewarded. You also get access to a database of all the reports if you want to go deeper.





CASE STUDIES

Case studies teach you what really works in real-world bug bounty hunting. Each one breaks down a disclosed bug bounty writeup focused on a specific bug class. You’ll see how top hackers approach targets, chain bugs, and write reports that get rewarded. You also get access to a database of all the reports if you want to go deeper.

gregxsunday

gregxsunday

$299

XSS Case Study


XSSes are everywhere. They’ve been the most common vulnerability class for years. But while popping an alert may seem simple, there’s much, much more to cross-site scripting.

Here’s the table of contents of this case study:

  1. What XSS types are the most common?
  2. Why did the XSSes occur?
  3. Where were these XSSes found?
  4. How many of them were blind?
  5. What payloads were used?
  6. What filter bypasses were used?
  7. What was the impact?
  8. How often did attackers need to bypass CSP?
  9. The wordlist of vulnerable parameters
  10. The database with 174 reports

Account Takeover Case Study



The number of $20k+ reports in the account takeover case study absolutely shocked me! I knew there were a lot but I didn’t expect that many. In total, I studied reports worth $1,308,980.70 of bounties. Yes, over $1,3 million! And I liked the outcome of the case study equally as I liked this number. I think it’s the best case study I’ve written so far.

I also created a checklist based on those reports so that you know what things you should check for when hunting for account takeover bugs.

From this article you can learn:

  1. What attacks are more lucrative – client-side or server-side?
  2. How user interaction influences bounty amount?
  3. What functionalities are most susceptible to account takeovers?
  4. What are the most common ways to takeover an account?
  5. Checklist – what to check for to find account takeovers
  6. The report database

IDOR Case Study



IDORs are often recommended as the easy vulnerability class, good to start the bug hunting journey. “Just change the ID in the URL parameter” they say. But are they really that easy? Well, to find it out, I analysed 187 public bug bounty IDOR reports to see how are people really making money with IDORs.

From this article you can learn:

  1. Where to look for IDORs?
  2. What’s usually the impact of an IDOR?
  3. What’s the most common place for a payload? (spoiler: it’s not the URL query!)
  4. What are the most common identifier types?
  5. How to predict the identifier?
  6. Protection bypasses
  7. Parameter wordlist
  8. The database with 187 reports

And there's 9 more case studies...


What do the users say?








STUDY PACKS

Learn bug bounty and web security with me

CASE STUDIES

Case studies teach you what really works in real-world bug bounty hunting. Each one breaks down a disclosed bug bounty writeup focused on a specific bug class. You’ll see how top hackers approach targets, chain bugs, and write reports that get rewarded. You also get access to a database of all the reports if you want to go deeper.

gregxsunday

gregxsunday

$299

DEVTOOLS

DevTools can help you understand how frontends actually work. This series walks through the tabs and features you’ll use when debugging JavaScript, setting breakpoints, and analyzing client-side flows during bounty hunting. It’s built around real use cases, with a focus on clarity and signal over noise.

gregxsunday

gregxsunday

$99

OAUTH SERIES

This OAuth series covers the kinds of bugs that show up in real bounty reports. It breaks down OAuth step by step - from how OAuth works, to what each parameter does, to the bugs those parameters can introduce. You’ll also learn lesser-known techniques, including server-side issues and what recon looks like in the context of OAuth.

gregxsunday

gregxsunday

$99

Built by a hacker, not a marketer

GRZEGORZ NIEDZIELA

I was a pentester but I made a decision to quit my job for bug bounty and creating content. I’m documenting my learning journey by creating the best materials about web-security in the form of this newsletter, Bug Bounty Reports Explained YouTube channel, Bug Bounty Reports Discussed podcast and all the other social media channels.

Also:

  • 2x HackerOne Live Hacking Event participant
  • Bug selected for the Show&Tell at h1-0131
  • H1 Ambassador for Poland;I led team Poland to the AWC 2025 quarterfinal
  • Member of the justCatTheFish CTF team
  • HackerOne advisory board member

SOME OF THE COMPANIES I'VE HELPED TO SECURE








FAQ

Who is this for?

Intermediate and advanced web application hackers who'd like to improve in bug bounty.

Who is this not for?

This content is not for beginners. If you're just starting out, you have plenty of free resources to learn from.

Do I get lifetime access?

Yes. One-time payment and the content is yours forever.

Should I buy this if I had access to the old BBRE Premium archive?

No, if you were a member of BBRE Premium, you already have access to all this content.

Refunds?

All sales are final but I can guarantee you won't regret it.

How to contact me in any matter?

Use the email [email protected]. Please don't DM me on social media as I'll probably not see it anyway.