YouGina

As 2025 has come to an end, it is time to look back and reflect on what this year meant for me as a bug bounty hunter. Inspired by my reflection last year, I wanted to do the same exercise again. Not just by looking at the numbers, but to understand what motivates me and what helps to achieve my goals for the coming year.

If I had to summarize 2025 in one sentence, it would be this:

A year with great highlights, such as the HackerOne Ambassador World Cup finals in Dubai, several strong CVEs, and an in-person event organized by the Dutch ambassador team.

More importantly, it was a year where collaboration, focus, and persistence really paid off.

2025 in review: from slow start to strong finish

At the start of 2025, I didn’t expect how impactful collaboration would turn out to be. By the end of the year, the biggest surprise was that working closely with others was rewarding not only technically, but also a great motivator. Good collaborations pushed me further, helped maintain momentum, and directly resulted in strong findings.

While the first half of the year was relatively slow, the second half had some strong results. Even as I write this, I still have nine open reports waiting for triage from 2025, many of which I’m relatively confident that they will be accepted. Overall, 2025 felt much more like a year in which I achieved strong results thanks to a solid foundation, rather than through luck, as had been more the case in previous years.

Highlights and standout findings

For me the real highlights of 2025 was the ambassador worldcup from HackerOne, and specifically the in-person events in Prague and Dubai. A great experience to meet up with so many talented people who all share the same interests.

Regarding my findings the following were my highlights of the past year:

CVE-2025-8083 — Prototype Pollution in Vuetify

My proudest technical finding this year is CVE-2025-8083, a prototype pollution vulnerability in Vuetify. You can read more about it in my post here: CVE-2025-8083 — Prototype Pollution in Vuetify

What makes this finding special to me is not just the impact, but the depth: understanding how the configuration system worked, how merging occurred internally, and how that could be abused across different execution contexts.

Second-Order SQL Injection (Pending)

Another finding I’m particularly proud of, though the report is still pending, is a second-order SQL injection in a backend framework. I was convinced the vulnerability existed after reading the code, but turning that intuition into a working exploit took persistence.

The key insight was realizing that the payload needed to be stored first, then later read back and reused in a subsequent query. It was one of those cases where sticking with a target eventually paid off. I hope to write more about this one once it’s resolved.

Framework bugs, edge cases, and research mindset

This year I did uncover multiple framework-level issues, some already fixed and others still pending. The bug in Vuetify described above is one of them, and there are more in the pipeline.

I also ran into interesting edge cases that did not qualify as a vulnerability. One such example was an interesting behavior in how jQuery handles JSONP requests, which introduces a race condition. While not a vulnerability on its own, it’s the kind of gadget that could become powerful in the right exploit chain. These are exactly the kind of things worth keeping in your notes.

I didn’t focus heavily on exploit chains this year, but that’s something I want to explore more in 2026.

Metrics and outcomes

While numbers don’t tell the whole story, they do help when doing a reflection. Here are my statistics for 2025:

• Total bugs submitted: 44 (well above my original goal)
• Critical: 7 (18.9%)
• High: 13 (35.1%)
• Medium: 14 (37.8%)
• Low: 3 (8.11%)
• Pending: 9 reports are still under review

While my critical percentage was slightly lower than my original 25% goal, the high-severity ratio exceeded my expectations. In the coming year, I want to focus on increasing the impact where possible and turn highs into crits, and mediums into highs by demonstrating clearer real-world impact.

My strongest findings this year were white-box / source-assisted, although I did also land several high and critical issues through black-box testing.

Focus beats breadth

One of the biggest improvements compared to previous years was focus. I stayed with one open-source program throughout the year, which paid off consistently. During events, I also hyper-focused on single targets over a short period of time (usually one to two weeks), often combined with collaboration. That combination turned out to be very effective.

Even when I didn’t find bugs, my understanding of underlying stacks, frameworks, and threat models improved. I could carry over this knowledge to other targets using similar technologies.

That said, I still switch too quickly during black-box testing. With source code, I have a much clearer sense of when something deserves a deep dive and when I’ve exhausted it.

Tooling, automation and workflow

I didn’t manage to refactor or modularize my tooling as planned, mostly due to lack of time. But it remains high on my list.

What did help a lot in 2025 was:

• Visual Studio Code for source code review
• Writing custom Semgrep rules to detect recurring patterns
• A URL scanning tool written by a collaborator that quickly highlights anomalous behavior
• A custom tool to quickly identify dashboards behind login portal

My source analysis skills improved significantly this year. Fuzzing is still an area where I want to grow, while large-scale scanning is something I’m going to step a bit away from. I noticed that for me, deep manual analysis works better than wide coverage. My tooling will therefor focus on recon and not so much on vulnerability analysis.

My note-taking remains a weak point. While I merged my Notion data into Obsidian, I still don’t take notes consistently during hunts. This often leads to rediscovering the same things when returning to a target. That’s something I need to improve on.

Time, motivation and sustainability

On average, I spent two to three hours per week hacking. That is still not a lot, but an improvement over last year.

My motivation and commitment was mostly driven by events in the beginning of the year, such as the Ambassador World Cup with the live events in Prague and Dubai. Later in 2025 I became more consistent and could invest a good amount of hours every week.

Motivation itself was never the issue, time was. For 2026, I already have a plan to address that, and I’m hopeful it will work out.

Community and collaboration

Most of my collaboration happened during events, particularly with the Dutch team. During the in-person event in the Netherlands in September, I worked closely with another participant, and that collaboration paid off quite well. We’ve continued hunting together since and hopefully will keep doing that in 2026.

Conversations with other participants during these events have helped me improve my way of thinking. That might be the most underrated benefit of in-person hacking events.

Last year I also published a blog post about my Ambassador World Cup experience and my previous yearly reflection. In 2026, I’d like to write more about my findings. At least high-level overviews of the CVEs I’ve discovered and about quirks that did not make it into being classified as a vulnerability, such as the one in jQuery as mentioned above.

Goals for 2026

For 2026 I like to put the bar a bit higher for myself. While maintaining the realistic percentages I gained this year, I doubled the amount of bugs I would like to find.

• Target number of bugs: 100
• Severity percentages:
  • Critical: 20%
  • High: 35%
  • Medium: 40%
• Time commitment: 4 hours per week
• Earnings: redacted

Beyond these metrics, I want to focus on technical, high-impact vulnerabilities that genuinely help organizations secure their assets. I also want to expand my methodology, especially fuzzing and explore new areas.

One specific goal I would like to achieve this year, is finding a vulnerability in a binary application, such as a Windows desktop app.

Closing thoughts

If 2025 taught me one lesson, it’s that persistence matters more than speed. Sticking to a target, building trust with a program’s team, and thinking beyond “submit and move on” makes a real difference.

To anyone who feels stuck but capable: don’t give up too quickly. Spend more time actively hunting and less time endlessly preparing. If you feel somewhat capable, you probably are.