$10,000 for a vulnerability that doesn’t exist

A couple of months ago, an interesting story happened to me. At that time I was working in a field not strongly connected with application security. And every month it became more and more obvious that something had to change. During the COVID-19 period, it was not very smart to change jobs. But the stars aligned and I was hired as an application security engineer for a very cool company. In between contracts, I was forced to take accrued vacation days. That’s how I arranged my vacation for three weeks. But I didn’t want to be idle, so I decided to do bug bounty hunting.

My attention was attracted by one bug bounty program. A new target was added to the program scope and I decided to try and look for some bugs. Let’s consider that the company’s name was example.com. And any critical bugs within the bug bounty on other domains were acceptable under that organization. The registered domains of the organization were hidden. And it was only known that there was example.com. I tried example.org — the result was strange. I also tried example.io, example.ca — the results didn’t allow me to set the domain’s affiliation to the organization. Then I tried example.net and got a redirect to example.com. This allowed me to have two domains in scope. Btw the bug was on that discovered domain!

Next, I went through a classic scenario and gathered all the subdomains for example.comand example.net. There were not that many. I did not filter them through httprobe and decided to check the basic checks simply by sending…