Before I break this down — if you are trying to get into bug bounty hunting and want something actually useful, go check out hackthrough. It is an interactive platform I built for bug hunters where real writeups like this one are turned into decision-based challenges. You do not just read what happened — you get to make the calls yourself, step by step. It is free to start. Go try it.
What Is This Report About?
I recently came across a bug report on Bugreader by researcher Ansal Pandey. The report is titled "Instagram Post Like State Not Reflected on Comment Page" — submitted to Instagram's bug bounty program, rated Medium severity, marked Valid, and rewarded with $100. It is one of the cleanest examples I have seen of how simply using an app with curious eyes can lead to a legitimate security finding.
What the Researcher Actually Observed
The steps in this report are almost insultingly simple. Open Instagram on the web. Go to the home feed. Like any post by clicking the heart icon. Then tap the comment icon to open that same post's comment section. Observe the like state.
The post shows as unliked in the comment view. Even though you just liked it from the home feed ten seconds ago. Go back to the feed — liked. Open comments again — unliked. That inconsistency between two views of the same post is the entire bug.
No Burp Suite. No proxy. No scripting. Just a person using Instagram and noticing something that did not add up.
Why This Actually Matters
I see beginners dismiss bugs like this all the time. "It is just a display issue." "It is not a real vulnerability." That thinking is exactly what holds people back. Instagram's security team reviewed this and paid $100 for it. On a platform with two billion users, a like state that resets when you switch views causes real confusion. Users think their action did not register. They double-tap. They lose trust in the app. That is impact — and impact is what security programs pay for.
What Beginners Should Take Away From This
First — your daily app usage is already a testing session. You do not need a lab. You need attention. Every time you like something, follow someone, save a post, or react — ask yourself: does this state hold everywhere in the app? Switch views. Go back and forth. Check mobile and web. That habit alone can surface bugs.
Second — cross-context state is a goldmine. When data shown in one part of an app does not match another part, that is a logic flaw. UI state bugs, sync issues, race conditions — these are real and programs pay for them.
Third — a clean report is half the work. Ansal did not just say "the like button is broken." They wrote: open the app, go to home feed, like a post, open comments, observe. Four steps. Reproducible. Clear. That structure is what separates a Valid from a Won't Fix.
My Take on This Report
I review a lot of bug reports. Most of the ones beginners overlook are exactly like this one — no fancy exploit chain, no advanced tooling, just someone using a product properly and asking "wait, should this work this way?" Ansal Pandey's report is textbook. The writing is clear, the steps are reproducible, the impact is well articulated. Instagram paid. That is the goal.
Keep hunting, keep observing. The bugs you find while actually using apps as a normal person are often the ones nobody else reports because everyone else is too busy running scanners.
Want to go from reading reports to actually hunting?I have written two books that will help you get there.
Beginner to First $100 Bug Bounty Roadmap — A step-by-step guide that takes you from zero to your first valid paid report. No filler, no theory soup. Real methodology, real targets, real report structure. This is the book I wish I had when I started.
Grab it here:
International: https://vivekps.gumroad.com/l/bug-bounty-roadmap
India (UPI/cards): https://rzp.io/rzp/kxc1IsA
Inside the Hacker's Mind — Real bug bounty stories told from the inside. The thought process, the hesitations, the observations that led to real payouts. If you want to start thinking like a researcher, this one rewires how you look at apps.
Both available at vivekps.gumroad.com