Skip to main content

Yadhu's Blog

Story of My first Bug Bounty

Table of Contents

# Intro

Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug.

I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website.

Buy gold online? Huh?

Okay. Enough of the story, let’s get started.

# The Bug

I don’t know why, but I started testing it. I started with checking for low-hanging bugs. I tested for XSS and some configuration issues, but it felt safe. The website was running on the latest version of PHP. I checked if the website was using any vulnerable jQuery libraries that could trigger an XSS, but nothing was found. I continued to look through the HTML source code of the website.

I was frustrated and decided to quit. But that is when something caught my attention.


Already noticed something suspicious?

Okay. Let me explain.

The developer was trying to implement some image download functionality, probably.

I have been playing CTFs for a long time now. I knew what I was supposed to do next. As all CTFers would do, I changed the image parameter to /etc/passwd. However, that triggered their firewall and the request was blocked. I changed that to index.php. My heart stuck for a moment.

I saw index.php has already started downloading.

With this, I was able to download the files from the webserver. I found that I was able to leak their e-mail account credentials, API keys, database credentials, and some other sensitive information.

Now I had a valid bug. But then, I came to know they did not have any vulnerability disclosure programs. I tried mailing to the e-mail addresses mentioned on their website, but I received no response.

Then I used my OSINT skills (jk, Googling) to find out the e-mail address of their IT Administrator and mailed them about the bug.

# Profit

Their response was quick, and I was contacted by a company which was in charge of managing it. I disclosed the bug and the issue was patched. I was awarded an amount of INR 15,000 (about 200 USD) for the bug. Even though they did not have any VDP programs, they decided to recognize my effort with it.

I learned a lot. Proper communication through the proper channel was the major reason for success this time. The entire process from detection of the bug to payment and fixing took just 9 working days. The responsibility that the company showed surely deserves appreciation.

That’s all for now. I hope this will inspire my readers to never give up. Keep on trying until you win.

Good luck.

Thanks for reading.