Bug bounty hunting isn't just about finding technical vulnerabilities; it is also about navigating strict corporate policies. Recently, I hunted on a global EdTech platform and scored a reward for discovering an Account Takeover (ATO) via a role bypass.

Here is how the hunt unfolded and the lessons I learned about business logic and Vulnerability Disclosure Policies (VDPs).

The Hunt: Passive Recon to Account Takeover

During my recon on the target application, I focused on user invitations and role boundaries. Through passive URL analysis — without using any automated scanning — I discovered a live invite URL structure intended for Parent onboarding.

I opened the link in a fresh browser session and completed the standard OTP verification to create a Parent account. Once inside the Parent portal, I noticed I could generate a valid Student sign-in code/authentication token.

I took that newly generated token, navigated to the Student login portal, and injected it. It worked perfectly, granting me full access to the Student portal. By simply possessing an exposed invite link, I had achieved a complete role boundary bypass.

You might notice there are no screenshots or Proof of Concept (PoC) videos in this write-up. To strictly comply with the company's Vulnerability Disclosure Policy (VDP) and maintain confidentiality, I am prohibited from sharing any visual evidence, payloads, or sensitive data. All testing artifacts have been permanently deleted in accordance with their guidelines.

TIP -: NEVER JUST BE DEPENDENT ON THE TOOLS, AFTER THE RESULTS OF THE EACH TOOL CHECK THE TXT FILES MANUALLY, YOU MAY FIND SOMETHING INTERESTING, LIKE IN MY CASE urlfinder TOOL.

The Disclosure and The Reward

I immediately reported this through their responsible disclosure program.

The vendor's security team responded quickly with an interesting clarification: a Parent account generating a Student sign-in code was actually an intended product feature. The real security exposure wasn't the token generation, but rather how the invite URL was obtained and left active in the first place.

To contain the issue, they invoked their strict VDP rules. They required me to stop all testing, permanently delete all screenshots and PoC videos, and confirm the deletion in writing. I agreed, permanently deleted my files, and confirmed my compliance.

They closed the report and, to my surprise, awarded me a gift voucher as a token of appreciation for my ethical disclosure!

The Takeaways for Researchers

The technical win was a great feeling, but the administrative side of this disclosure was an equally valuable learning experience.

1. Understand Business Logic: What looks like a critical vulnerability (like the token generation) might be an intended feature to the developers. Always consider the whole picture.
2. Respect the VDP: Corporate security teams do not mess around with data privacy. A VDP is not just a set of guidelines; it is a strict framework that you must follow to maintain your Safe Harbor protection.