hunt-rce

## Crown Jewel Targets RCE vulnerabilities command the highest payouts in bug bounty programs because they grant attackers direct execution control over target infrastructure. The highest-value targets are: **Highest-paying asset types:** - **Enterprise server products** (GitHub Enterprise Server, self-hosted GitLab) — privilege escalation chains from low-privileged console roles to root SSH access consistently pay critical/high - **Supply chain / package registries** — dependency confusion attacks against npm, PyPI, etc. hit critical severity across every major program - **Cloud-native infrastructure** — exposed Kubernetes API servers, ingress controllers, and misconfiqured CI/CD pipelines - **Mobile app backends and OAuth flows** — where server-side processing of attacker-controlled data meets execution contexts - **Admin/management consoles** — template injection in configuration panels reaches root with a single payload **Why this class pays most:** - Blast radius is infrastructure-wide, not user-scoped - Proof-of-concept is unambiguous — shell output is undeniable - Fix requires architectural changes, not just a patch - Programs cannot afford false negatives on RCE --- ## Attack Surface Signals ### URL Patterns ``` /management-console/* /admin/settings/* /api/v*/exec /api/v*/run /webhook/* /_internal/* /import?url= /render?template= /preview?format= ``` ### Response Headers / Tech Stack Signals ``` X-Powered-By: Express # Node.js — npm dependency surface ...