Igniting the Challenge
When Red Bull unveiled their Vulnerability Disclosure Program, the reward wasn’t cash — it was caffeine. Trays upon trays of the world’s favorite energy drink awaited hunters who could unearth security flaws.
For us, it was the perfect storm: a world-class target, a mouthwatering bounty, and prestige on Intigriti’s leaderboard.
One and a half week of active hunting resulted in 46 solid reports, and a lot of lessons, we emerged with ~ 30 trays—a staggering ~ 180 L of Red Bull and a spot among the Top 64 on Intigriti’s all-time list.
What Helped Us Most
There was no single tool or magic trick. What helped was having a clear plan, using what we knew well, and sticking to basic good practice. Here’s what actually made a difference:
Tried-and-Tested Tools
We used Nuclei, ffuf and similar tools often — nothing fancy, just custom templates and wordlists we already trusted. Most of our recon was built around those.
Clean Note-Taking
We kept a shared Markdown doc to track what we tried, what worked, and what didn’t. That made writing reports quicker and avoided re-checking the same stuff.
Deep Recon
Due to the open scope, and Red Bull being a giant company - we utilized Shodan, Censys and other awesome tools to help us map out Red Bull's attack surface
Early Reporting
We submitted reports early. Even for medium or unclear bugs, that got us feedback faster and let us focus on what was still open or in scope.
Severity Snapshot
We submitted 46 valid reports during Red Bull’s VDP. Here’s the severity breakdown:
- High: 4 reports
- Medium: 41 reports
- Low: 1 report
Reward Breakdown
26× Medium (rewarded) → 1 tray each → 26 trays
3× High (rewarded) → 3 trays each → 9 trays
1 High and 15 Medium reports were duplicates sadly and not rewarded
🎯 Total Reward: ~ 35 trays of Red Bull
Total: 46 Reports
Achievement on Intigriti
Our work didn’t just earn us energy drinks — it earned us serious growth and respect. After weeks of fuzzing endpoints, chaining attack vectors, and writing crystal-clear reports, we cracked into Intigriti’s all-time Top 64 researchers list. For a relatively short campaign, that was a huge leap—and proof that consistency matters more than headcount.
But that wasn’t the end of it. Our effort caught the attention of the platform itself.
In their weekly write-up
Bug Bytes #123
,
they highlighted us as the “Community Pick of the Week.”
Recognition like that is
priceless in the security world — it’s more than a badge. It’s validation from the very platform where the best
hackers in the world compete.
It reminded us why we do what we do: to build safer systems, push boundaries, and have fun while doing it.
This hack marathon placed us at #14 on Red Bull Leaderboard of all time
Let’s secure your software
Our expert pentesters simulate attacks to uncover real-world vulnerabilities.
