Post

Funny Bug Bounty Reports #1

This is the first part in my new series “Funny Bug Bounty Reports”. These are not judged on their merits, technical abilities, or anything other than if they make me laugh. Today, I bring you the discovery of CVE-2025-24813 at HackerOne, which was an RCE in Apache Tomcat.

Certificate

In particular the first sentence is lol. I will start declaring myself at the start of reports.

I am sw0rd1ight.I found an Apache Tomcat RCE vulnerability in tomcat 9.0.98.

But anyway, it is a cool bug - kudos to sw0rd1ight. I feel like they should have received a slighty higher payout, but I suppose it takes a bit of star alignment to actually exploit this.

Stay tuned for the next episode!

This post is licensed under CC BY 4.0 by the author.