Sampanna Chimoriya
4 min readDec 19, 2018

My Experience with Google Bug Bounty

I really enjoy reading bug bounty writeup and it’s really cool to see the thought process and various techniques showed by people who are way more knowledgeable than me. So I want to find more and more bug bounty writeup so I discovered Pentester Land and I really really love this website and it’s creator when they provide notes and provide tips and the tweet collection is the best . So you can imagine my happiness when I saw that I received a follow from Pentester Land and my post was actually featured in bugbountywriteup.

TL,DR I submitted four report to google and first report was not considered severe enough, second report was first closed then accepted then duplicate, third report was fixed by internal team and it was not even considered, and the fourth report was accepted but was not considered severe enough for a monetary reward but I was asked to create profile in bughunter site to get featured so it was really cool.

So, I didn’t actually receive any reward but I am still happy that my 2 report to google was accepted and since it was not actually really hard or time consuming for me to find that report I was not really sad. So, I was just browsing pentesterland bugbountywriteup and saw a post about google referer leak

It seemed really cool and not that very easy to find. I saw a post about unlisted video referer leak in game.youtube.com. He just pasted https://whatismyreferer.com in comment section and when clicked leaked unlisted video url and he got $500 twice for the same vulnerability. So, I was using my mobile phone to read the blog so I decided to try this in translate.google.com. If you type a https://whatismyreferer.com it would be translated to a link which when clicked would leak various things so I submitted a report but it was not considered severe enough to be accepted. At the same time I decided to try youtube.com. So, I type youtube.com in google chrome but was send to m.youtube.com. So, I thought maybe it was not fixed in mobile version of youtube.com. So, I opened a random video and commented https://whatismyreferer.com and was provided the video url which was really cool. So, I wrote a report to google and I don’t really think they actually understood and closed it . So, I had to write again that unlisted video url can be leaked so they asked to provide a proof. So, I uploaded a video with my android youtube app and unlisted the video. I copied the url and opened in google chrome and commented https://whatismyreferer.com and I saw my unlisted video url. Again they could not understand properly and said that since I had uploaded the video ofcourse I would have the link and I can view my video. I really don’t understand where I made the mistake and I could not understand why they couldn’t understand. So, I explained that referer leak the video link so I don’t really need to have the video link. Still my report was closed. So I wrote them again and provided a link to the previous blog and explained if the previous report was accepted then it’s not really fair for my report to not be accepted. After 24 hours my report was finally accepted . I received a message that I would be contacted within 1–2 weeks and in 18 December at about 11:15 pm I recieved a message that the report was actually a duplicate.

My third report was actually really cool but it was fixed by the internal team. I had sent a report in about 4:20pm and it was fixed by the team in less than a day and I was not rewarded anything. Since it was really cool for me I will probably write another blog about it. So my fourth and a final report was really cool for me because it was because of my previous blog. It was actually a subdomain takeover which was really cool for me. Let me explain, when I wrote my report of Self XSS on indeed.com, I was followed by someone on medium with name Dhamu harker. It was really cool that someone followed me so I visited his profile and saw his likes. So, I was strolling through the claps and saw a report for famebit.com which was associated with google.com. So, I immediately searched for subdomain in yandex.com and found blog.famebit.com. When I clicked the link, I was expired webpage message and turned out it was hosted on SquareSpace which I had read somewhere was vulnerable to subdomain takeover. So, I sent the report to google and I was contacted within an hour and I received a message that subdomain takeover might not be possible and provided the link to

and said my report might not be possible but it was accepted anyway. I was contacted in 18 December that my report was not severe enough to be provide reward but was asked to create google bug hunter profile. So, this concludes my blog and I think it turned out pretty long but it’s because I really don’t know how to put my words in short sentence.

So, the main takeaway from this blog are provided below.

  1. If you find any place which allows you to copy or create link paste https://whatismyreferer.com and you might be suprised by what you find.
  2. Try and read various reports of your target to understand the target and what you should spend most of your time on.
  3. Visit https://pentester.land and bookmark it already if you have not done so already.

So, thank you Pentester Land and Dhamu harker very very much. I am testing various other google products so if I find anything it would be really cool.