This post is about a security bug i have found in one of the bug bounty program which was very easy to find and accepted by the company which leads to $25 bounty.

So, i was exploring the programs at openbugbounty.org where i got a website which have responsible disclosure. So, i decided to look for the bugs at that website.

So , after login i notice there was a button which allows user to delete his/her account. Which gives me the idea to test for “failure to invalidate session after deletion of account”

So , i try to look for some other domain of the website which uses the same credentials for login. And luckily I found one.

So, the functionality/flow was like this

Submitted the report and thought this will not be accepted but i give a try and they accepted it, fixed it and gave $25. Few days back i have found same issue with their another domain and got another $25. So ,it is now “A Easy $50 bug”

Feedback and comments are welcomed.

Written by

I am a Computer Science - Information Security student. I write stuff about web application security bugs/issues.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store