"Sometimes you don't win the bounty… but you win the mindset."

It started like any normal day.

Laptop open. Burp Suite running. Curiosity at its peak.

I wasn't chasing for bounty that day. I was chasing something more exciting — a real vulnerability.

And for a moment… I thought I found one.

While testing a search functionality, I noticed something interesting in the frontend code:

An exposed API key A search index reference Third-party search integration

Most users would ignore it.

But in bug bounty, small clues often lead to big findings.

Intercepted requests using Burp Suite. Replayed API calls. Tested different endpoints.

That's when things got interesting… I crafted a request using the exposed API credentials:

POST /1/indexes/org_aem_prod_en-us/query HTTP/1.1
Host:dsn.3rdparty.net
X-API-Key:2b15157d51ab026b3a4xxxxxxxx
X-Application-Id: ZSUJLFxxxx
Content-Type: application/json
Content-Length: 34
{"params":"query=&hitsPerPage=20"}

After sending the request, I received a valid response. However, the data appeared to be publicly accessible, which initially didn't indicate a strong impact.

Instead of stopping there, I decided to explore further.

I modified the index name by guessing in the request — and that's when things got interesting.

💥 Unexpectedly, I was able to access non-production indices:

• org_aem_dev_en-us
• org_aem_stage_en-us

Through these indices, I discovered internal subdomain references such as:

• https://www.stage.company.com/
• https://www.dev.company.com/

These environments were:

• ❌ Not accessible via browser (returning 403 Forbidden)
• ✅ Accessible through the search API

This clearly indicated a breakdown in environment isolation, where non-production data was indirectly exposed via a misconfigured search API.

The crafted request using the exposed API credentials by changing indices Query that exposes stage index org_aem_stage_en-us index by

POST /1/indexes/org_aem_stage_en-us/query HTTP/1.1
Host: dsn.3rdparty.net
X-API-Key: 2b15157d51ab026b3a4xxxxxxxx
X-Application-Id: ZSUJxxxxx
Content-Type: application/json
Content-Length: 42
{"params":"query=&hitsPerPage=20"}

Query that exposes devindex org_aem_dev_en-us index by

POST /1/indexes/org_aem_dev_en-us/query HTTP/1.1
Host: dsn.3rdparty.net
X-API-Key: 2b15157d51ab02xxxxxxxxxx
X-Application-Id: ZSUxxxxxxx
Content-Type: application/json
Content-Length: 40
{"params":"query=&hitsPerPage=20"}

At this point, everything felt solid.

I verified:

• Access behavior
• API responses
• Possible data exposure

I analyzed the impact:

• Internal environment exposure
• Potential reconnaissance vector
• Misconfigured authorization

I documented everything clearly.

And then…

I submitted the report.

The Waiting Game⏳

If you're into bug bounty, you know this phase.

Refresh. Check updates. Wait.

Confidence slowly turns into anticipation.

The Twist 💔

Then came the response: "Duplicate." Just one word. That was it. Lost Interest. Very Sad

I stepped back and thought:

"Wait… I actually found a valid issue."

Someone else just found it before me.

That doesn't make my work wrong.

It just means…

I'm getting closer.

What This Taught Me

This "duplicate" gave me more value than a bounty:

🔹 Technical Learnings

• How search platforms work
• How API keys can expose hidden environments
• Importance of environment isolation
• How to test beyond UI restrictions

🔹 Bug Bounty Lessons

• Focus on root cause, not just impact
• Document findings clearly

This wasn't a failure. It was proof that:

✔ I'm looking in the right places ✔ I understand real-world systems ✔ I can identify actual vulnerabilities

The only thing I missed?

⏱️ Timing.

Final Thought

That bug wasn't mine.

But the knowledge I gained from it is.

And no one can mark that as duplicate.

I'm not stopping here.

More testing. More learning. More growth.

Because in this journey…

Every step counts.

Thank you for reading. Happy Hacking. ❤

follow me on linkedin : https://www.linkedin.com/in/jaya-prakash-reddy561/