Critical Thinking - Bug Bounty Podcast Episode 167: Stealing Bugs with Valeriy Shevchenko
Mar 26, 2026
Valeriy Shevchenko (Krevetk0), an experienced bug bounty hunter and program manager known for high-impact findings. He recounts early big wins and how to prove transient vulnerabilities. He explores scope expansion via supplier chains and proxies. He reveals a striking report‑theft case, how leaks happen, and practical mitigations like watermarks and server-side POCs.
AI Snips
Chapters
Transcript
Episode notes
10K Paid For A Burned But Valid Credential Leak
- Valeriy documented an AWS credential exposure during an acquisition prep that worked briefly then the server was shut down, but credentials in his screenshots still allowed access via CLI.
- He validated live access, submitted to the program after acquisition completed, and received about $10–12K because the exposure proved real.
Document Everything With Screenshots And POCs
- Always record strong evidence like screenshots and video POCs because triage delays or service shutdowns can make live replication impossible.
- Save Burp/requests and reuse captured credentials or CLI validation to prove transient exposure.
Third Party Debug Mode Led To Main Site Admin Access
- Valeriy found a third‑party agency link that exposed a Symfony debug page and PHP info containing credentials, which led to WordPress admin access and content tampering across the main brand.
- The supplier reused credentials across environments, letting him pivot from an out‑of‑scope supplier to in‑scope main sites, forcing the org to shut services and rotate secrets.