Niche Security Target Scout

A second scouting round focused on authorized, niche, potentially stigmatized fields where generic agents are less likely to swarm — while staying strictly inside legal bug bounty / VDP boundaries.

Executive read

The best direction is not Reddit gigs and not broad HackerOne spray-and-pray.

The best direction is a small set of privacy-heavy, integration-heavy programs where:

• the program is explicitly authorized,
• the vertical is sensitive enough that privacy bugs matter,
• the bug classes are achievable without aggressive scanning,
• the report can be written cleanly from passive evidence, local reproduction, or owned test accounts only.

Top targets

1. Sweed — cannabis retail/POS

Field: cannabis retail technology / POS / ecommerce
Platform: HackenProof
Reward: $50–$2,000 listed; Critical $1,200–$2,000, High $500–$1,200, Medium $200–$500, Low $50–$200
Why it is interesting: cannabis retail is regulated, privacy-sensitive, and less glamorous than AI or crypto. It has POS, customer profiles, ecommerce, inventory, admin panels, cashier systems, and tenant-like workflows.

Achievable angles:

• tenant isolation between demo/store/admin panels,
• cashier/admin role authorization,
• order/customer PII exposure,
• payment/order state logic,
• file/export/report access control.

Risks / rules: HackenProof page requires 100 reputation points and PoC; no automated scanners; no data compromise; only scoped targets; AI-generated reports without runnable PoC are not accepted.

Verdict: Best match for “niche, less agent-targeted, still achievable.”

2. Request Finance — crypto invoicing/accounting

Field: crypto invoicing, accounting, payments
Platform: self-hosted bug bounty / email reporting
Reward: up to €20,000; Low up to €2,000, Medium up to €10,000, High up to €15,000, Critical up to €20,000; paid in ETH or REQ.

Why it is interesting: not taboo exactly, but niche and financially sensitive. Invoice/payment/accounting workflows often have role, workspace, and state-machine bugs.

Achievable angles:

• invoice/workspace authorization,
• wallet/address substitution,
• organization role escalation,
• payment status desync,
• export/attachment data leakage.

Risks / rules: self-adjudicated bounty; avoid real payment impact; public disclosure invalidates bounty; report privately only.

Verdict: Highest upside with a realistic web/app logic angle.

3. Flo Health — fertility / reproductive health

Field: fertility, sexual/reproductive health
Platform: HackerOne
Reward: Flo states valid vulnerabilities rewarded only through HackerOne; exact current ranges require platform view.

Why it is interesting: reproductive-health data is extremely sensitive. Privacy, export, consent, account-linking, subscription, and deep-link flows matter.

Achievable angles:

• account linking / email-change issues,
• privacy/export endpoints,
• subscription entitlement desync,
• health-data visibility between accounts/devices,
• tracking/deep-link token leakage.

Risks / rules: very sensitive data; only use owned test accounts and minimal proof. Never touch real user data.

Verdict: Strong privacy-impact candidate, but needs careful scope review.

4. FetLife — kink/adult social

Field: adult/kink social network
Platform: HackerOne
Reward: HackerOne directory lists bounties with $100 minimum.

Why it is interesting: identity exposure in a kink community has real-world harm. Many researchers avoid adult/kink platforms, so stigma may reduce crowding.

Achievable angles:

• private group/media access control,
• block/privacy bypasses,
• notification/email leakage,
• IDOR on media/profile/group objects,
• account/session recovery flaws.

Risks / rules: extremely sensitive identities. Use only test accounts, no scraping, no real-user data.

Verdict: Good niche if scope allows own-account testing.

5. Chaturbate / XVideos / Stripchat-style adult platforms

Field: adult/live-cam/video
Platform: HackerOne for Chaturbate and XVideos; Stripchat appears in public tracker data as a HackerOne program with a $200–$3,000 range.

Why it is interesting: adult platforms have high privacy stakes, creator payout flows, media handling, moderation/reporting, and account/session complexity. Stigma reduces casual participation.

Achievable angles:

• creator payout/account authorization,
• media visibility mistakes,
• private messages/session/privacy controls,
• upload/reporting workflows,
• account recovery and email-change issues.

Risks / rules: content boundaries, adult material handling, and real-user privacy. Avoid viewing/downloading private content or touching real-user data.

Verdict: Strong niche, but operationally delicate.

6. Flutter UK&I / FanDuel / Superbet — betting/gambling

Field: gambling, sports betting
Platform: HackerOne
Reward: Flutter UK&I $250 minimum in HackerOne directory; FanDuel $100 minimum; Superbet reportedly $100 minimum.

Why it is interesting: gambling has account, KYC, bonus, payment, and compliance workflows. Less pleasant than shiny SaaS, but business-logic risk can matter.

Achievable angles:

• account/session authorization,
• bonus/promo logic with security impact,
• KYC/document visibility,
• webhook/payment-state desync,
• API IDOR.

Risks / rules: do not abuse wagering, payments, bonuses, or KYC. Only safe proof-of-concept and scoped testing.

Verdict: Good high-signal target class, but requires very strict scope discipline.

7. Bumble / Tinder — dating/social

Field: dating and social matching
Platform: HackerOne
Reward: Bumble $130 minimum, Tinder $250 minimum in HackerOne directory.

Why it is interesting: privacy and safety impact are obvious: profile/media privacy, location, block/match/message authorization.

Achievable angles:

• media/profile access control,
• block/match bypasses,
• location leakage,
• message authorization,
• account linking and session flaws.

Risks / rules: anti-abuse systems, privacy/harassment sensitivity, no scraping.

Verdict: Valid but likely more crowded than adult/cannabis/crypto-accounting.

Best first three

A. Sweed

Best mix of niche, authorized scope, achievable web bugs, and less obvious agent crowding.

B. Request Finance

Highest upside and good fit for logic/authorization/payment-state analysis.

C. FetLife or Flo Health

Pick based on comfort and scope. Both are privacy-heavy; both reward careful restraint.

Safe methodology

Allowed first pass

• Read program scope and rules.
• Inspect public docs, changelogs, API docs, and public JavaScript bundles.
• Search public GitHub/GitLab for old SDKs, leaked configs, or public integration examples.
• Check public CVE databases for declared plugins/dependencies.
• Reproduce risky claims locally when possible.
• Use only owned test accounts if the program permits it.

Avoid

• automated scanning unless explicitly allowed,
• fuzzing production endpoints,
• brute force, credential stuffing, or password spraying,
• scraping users or enumerating accounts,
• accessing third-party data,
• social engineering,
• destructive tests,
• payment/wagering abuse,
• live exploitation beyond minimal proof.

Achievable bug classes

1. IDOR / broken object authorization
   Test only between two owned accounts. Look for invoices, media, exports, support docs, profile objects, group IDs, or customer records.

2. Auth/session flaws
   Password reset reuse, email-change verification gaps, missing session invalidation, OAuth/account-linking confusion.

3. File upload / media privacy
   Private media accessible by guessed URLs, SVG/HTML upload issues, metadata leakage, missing auth on attachments.

4. Webhook/payment-state bugs
   Replayable webhooks, client-side paid flags, missing provider signature verification, subscription or invoice state desync.

5. PII exposure
   Exports, search/autocomplete, notifications, support attachments, public profile JSON returning hidden fields.

6. Misconfigured storage
   Public buckets, non-expiring signed URLs, predictable private media paths.

7. WordPress/plugin or dependency CVEs
   Confirm target version passively, reproduce locally, report with conservative target evidence.

Recommended Night Shift workflow

1. Sable: reads scope/rules and writes the allowed-test boundary.
2. Moth: collects passive target notes and source links.
3. Kiln: builds local reproduction lab if dependency/plugin/API pattern exists.
4. Rook: selects one target and one bug class; blocks scope creep.
5. Glint: prepares final report visuals only after a valid finding exists.

Immediate next move

Pick one first target.

My recommendation: Sweed first, because it is niche, actively scoped, has visible rewards, and contains realistic web/POS/admin/cashier surfaces. Request Finance is the second lane for higher upside.

Sources

• Sweed article announcing bug bounty: https://www.sweedpos.com/resources/help-updates/blog/how-sweeds-bug-bounty-program-is-raising-the-bar-for-cannabis-tech-security
• Sweed HackenProof program: https://hackenproof.com/programs/sweed-web
• Request Finance bug bounty: https://help.request.finance/en/articles/8623679-bug-bounty-program-at-request
• Flo responsible disclosure: https://flo.health/responsible-vulnerability-disclosure-program
• HackerOne program directory: https://www.hackerone.com/bug-bounty-programs
• Huntr hacktivity / AI security platform: https://huntr.com/bounties/hacktivity
• BBRadar platform tracker: https://bbradar.io/platforms/hackerone