How i get $$$ bounty for Discovering Information Disclosure Via GitHub Repository
Hello everyone, I am Yash kushwah working as a cyber security researcher and bug bounty hunter,
As every bug hunter gets Dublicate bugs from program i also got lot’s of Dublicate before this report. In this write-up, I will share my experience of earning a $$$ bounty by uncovering an information disclosure vulnerability in a GitHub repository
Let’s start. (Read full writeup)
What is GitHub
GitHub is a web-based hosting service for version control using Git. It is a platform that allows developers to store, manage, and collaborate on their software projects.
What is GitHub Dorking
GitHub dorking refers to the practice of using advanced search techniques on GitHub to discover sensitive information or potential security vulnerabilities in repositories.
And sometimes the repository contains much sensitive information like Api, DB credentials, FTP, Email, Password etc credentials.
The first step in any bug bounty program is to select a target. In this case, I was browsing through various bug bounty platforms and came across a program that allowed researchers to search for vulnerabilities in open-source projects hosted on GitHub
After identifying the vulnerability, I proceeded to develop a proof-of-concept (PoC) to demonstrate the exploit.
Proof Of Concept:
1. Go to github.com and login
2. Search keyword “Target.com” password
GitHub Dork: "Target.com" password3. I started reviewing the repository’s source code.
Boom….
Here I can checked and Found cypress.json Repositorie through sensitive information disclosure such as Marchant id, password, email etc.
I submitted my report through the bug bounty program’s designated platform, ensuring that all required information was provided.
I received an automated acknowledgment of my submission and patiently waited for the organization’s response.
Impact:
If sensitive information is exposed through a GitHub repository, malicious actors may exploit it to gain unauthorized access to systems, databases, or accounts. This can result in data breaches, privacy violations, and financial losses for individuals or organizations.
After 3 Month wait Got received…
Congratulations, !
Your bug report has been confirmed by our specialists and you have earned a bounty $$$ 💵reward!
100$ 💲💲💲
Conclusion:
Discovering an information disclosure vulnerability through a GitHub repository was an enriching experience that allowed me to contribute positively to the security of an organization. By following responsible disclosure practices, I not only earned a $100 bounty but also established a relationship that could lead to future collaborations.
Report: Jan / 30 / 2023
Trigger: Feb / 10 / 2023
Receive Bounty Reward: April / 17 / 2023
This is my first writeup.
So, thanks a lot for reading it till the end. I hope you will find this article interesting.
cyberyash!
Follow me on Instagram:
https://www.instagram.com/cyberyash951/?hl=en
Follow me on Linkedin:
