[usmannk]

Hey OP here, thanks for posting. Happy to answer any questions.

[dustfinger]

1. Roughly how many hours did you spend on the two bug reports (from recon to publication) that you have posted on your blog?

2. How extensive is your background in networking, blockchain programming and pen testing?

3. How many other bounties did you commit recon time to before the two successful disclosures?

[usmannk]

1. This is really hard to enumerate. I basically am always doing recon and don't do it 1 target at a time either. I'd been looking at Sei's V2 upgrade code on and off for months, and made my report when they merged the v2 branch to master (this action put the code in-scope for a bounty). I'd found a handful of other critical bugs on the way but they were fixed eventually either in the course of normal development or audits. I definitely spent upwards of 40 very focused hrs in total investigating this codebase along with its dependencies Cosmos/Tendermint. Probably much more time less focused. Cosmos&TM are quite big. But those dependencies are used in many other projects too, so it can't be purely accounted towards time on Sei.

2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.

3. Idk, a lot! Upwards of 20 for sure.

[kubb]

Congrats on your skills, enjoy not having to work on things you aren’t passionate about.

[ayewo]

1. For the 2nd issue you found, was the amount you redeemed after being paid really up to $2m USD?

2. From your other comments elsewhere in this thread, it sounds like you are a full-time bounty hunter, correct?

[usmannk]

1. Yes, they sent me 2,000,000 USDC.

2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.

[ayewo]

> .. . and private contracted security reviews.

How you find those? Or this type of work finds you based on your activity on competitive security review sites?

[usmannk]

Typically networking. I spent some time working at a reputable firm in this space as well.

One way to do this is to show some chops on the competition sites and then move to one of the organized freelance firms like Spearbit or yAudit. In doing all of these things you'll inevitably meet more people, build a specialty, get some reputation, etc.

[teschmitt]

What are you doing with all that dough?

[y-curious]

Did you have to specify that it was a critical bug or haggle with them? On the immunefi site, their max bounty is set at $1M but you clearly got 2x that.

[danielvf]

The project changed to a 1 million dollar bounty after usmannk's report on May 18th..

There's an unofficial project that tracks bounty programs, you can see the change here: https://github.com/infosec-us-team/Immunefi-Bug-Bounty-Progr...