My First Un-Expected $$$$ Digit Bounty for an Un-Expected Vulnerability

4 min readFeb 28, 2023

Hello readers, this is my first time I am writing any blog. I hope I won't waste your time and you will definitely take motivation from this.

In this Blog I will discuss how I got my first Unexpected 4-digit bounty for a bug which mostly many ethical hacker or bug bounty hunters ignore or its out of scope. Ok let's start.(Note: It was 3 year back)

I started my Bug Bounty back in 2019 when I was in my 3rd year of my college and before that I was just gathering and learning about cyber security. Since I started, I was able to get some bounties and some swags which always keep me boosted and helped me in maintaining the consistency. But after few months' times changed and I was not able to score any bounty, all my reports were either getting duplicate or N/A . But I didn’t stop.

One fine day I started my day and thought of starting fresh. So, I completely closed everything that was up and running, all programs that I was hunting on, all terminals running different recon commands everything and started a fresh.

Methodology

I went to google and started searching out for open Bug bounty and RVDP programs. I usually do that by using google dorks like

intext: Vulnerbility disclosure
intitle: Security Bounty Program 
...etc

After using the dork, I looked for some programs which are recently launched and to do that I clicked on Tools button and set time as Past month

After scrolling through the programs, I came across a program which was launched just before a week, and I thought let's give a try to this.

I will disclose the program name in the last as the program is now closed and they are not accepting any further reports.

Vulnerability Finding Methodology

After setting my target, I quickly went through the scope and out of scope section and thing were pretty much clear there.

I started subdomain enumeration and found that there was no major subdomain listed only 4–5 was there. Then I started manually checking the website and its Functionalities. I saw a login button on main website, so I straightly went to that section to check more vulnerabilities related to authentication as it's my favorite feature to hunt on. I created my accounts there and started looking for Vulnerabilities like CSRF, Session Expiration, Session validation, Idor’s , 2FA bypass and other major vulnerabilities mostly p2-p3.

after spending like 2hours I didn’t get anything and thought of almost giving up. I then again come back to main website and started looking for sensitive information leakages on internet via google dorks, GitHub and using tools like waybackurls, ffuf , dirsearch to get some juicy information. But again, bad luck there was no juicy information present. I felt like there is no vulnerabilities present and thought of moving to next website. but don’t what held me back and I again went to check for Login functionality page.

I again looked at the qualifying and out of scope vulnerabilities and found that No-Rate- Limit was not mentioned in out of scope so I though let's give a try I performed a No-rate-limit to all the sensitive endpoints like, password reset function, password change function, inviting team members functions and other endpoints too. But nothing was working and everything seems protected. I took a break and went out with my friends.

Next day I thought why not perform a rate-limit on the login functionality only. (I was not aware that time it was called a Brute Force attack) and to my surprise there was no protection against the brute force attack, and I was able to perform a valid brute force attack on that main login page. I was not much excited because I thought even if it is a valid bug, I will only get p4-p3 reward i.e. max $200 but I reported that though their reporting form which was earlier there and I also haven’t got any confirmation back to my email. I waited for a week and there was no response and it completely went off from my mind as I started hunting on some other programs.

After 1 Month I got an e-mail (Check below attachment).

Lesson, I learned From This

Being consistent is the key.
Don’t underestimate your findings! ask yourself is this something that can be an issue really.
Don’t put expectations first before the results.
Always be patient.
Take a break whenever you feel you are lost.