HI I am Dhanush, I have an Hard tech infra to be future protocol ,that's all basically I am poor 17M self taught(by piracy) solo guy I made multiplayer 3d games and now I used Burp Suite on random to understand Communications to services when using a service from a company named "B"(an AI using company for neural phase locking) (they are multi-million ARR company premium only model with trials)I saw some problems here they are

Technical Findings:(All actions are for educational/reporting purposes only and none used for personal benefit or piracy)

1) their account management system is completely flawed I can use anything with '@' and '.' other peoples mails, non-existing mails ,temp mails AND also I can delete an account and recreate with same credentials to get another set of trials

2) they store data using service like braze its API is shown out I thought its real one well it might be just SDK Key I didn't brag much about its access as it might be illegal cuz they don't have any formal bug bounty program neither they hired me to do this so I stand on limit and moved on but they could have used "Identifier field level encryption" feature on braze so even with certificates proxy can't know personal details about user

3) they use bulk production of tokenized links and there are multiple flaws there

3.1)its bulk so I get 40 usable links to download their proprietary IP and they might have thousands of song ,with just basic python automation one can get 800 songs (verified truth)

3.2)those links are said to be used for 3 months with single authorization and those files are full unencrypted hosted audio files

3.3)the main link didn't support third party downloads like IDM catchers but the flaw is it exposes the link which can be tracked down and download with another simple Python automation using selenium(verified)

4) and final problem is UI of premium can be just toggled ON so basically their whole product is exposed to me cuz I didn't sit and watch an audio streaming platform if a bad actor hosted their IP somewhere it could be dangerous and already they loose revenue by account flaw these are all my views and inferences

I am not a professional(but I followed all principles and cleaned all codes, files and shown proof via sha-256 only) and they don't have any option in Hacker One or any firms to contact so I attempted 50 times, for more like 3–4 maybe even 5 months time span I guess literally all social media even those who freelanced for that business or random strangers who followed CEO(his personal mail even) no one responded finally I got an response from an official employee I explained this problem and waited for more than lot of time and just for this I got linked In premium trial and told him and its been more than 2 months after him responding itself still they didn't fix anything and lately he didn't even respond for two weeks just for certificate of endorsement or some kind of pedigree where I am self taught by piracy I have nothing to prove neither rich to create some I just asked for a certificate still un-responded but before that I asked Him can I make technical write-up and he said feel free to do what you want now I took 2 weeks to reflect and here is My write Up

at least I feel having a validation(you would know its value when you have none) for putting this work on a decade old AMD a4 Radeon r4 govt distributed entry level laptop and I am resourceful ,persistent and technically capable yet I lost YC whereas those with pedigree like " — — IDE" (the worlds first BRAINROT IDE)(just an webview extension pre-installed to IDE fork with bookmarks of brainrot websites) got In so help me get validated to build something future needs

my project is basically a Virtual File System with build in compression for future world models and 6g networks If anyone wants to ask or help anyway do In comments that would be helpful