How I Earned $,$$$ by Escalating a Basic Scan into Critical Exposure Using AI

I recently earned a total of $,$$$ in bug bounty rewards from a single target: https://www.[REDACTED].com/ — and it all started with…

Eftasib Araf Depro

~3 min read · April 23, 2026 (Updated: April 23, 2026) · Free: Yes

Hey, I am depro0x, a security researcher focused on web application and API security. Recently, I earned a total of $,$$$ in bug bounty rewards from a single target: https://www.[REDACTED].com/ — and it all started with something very simple: a basic directory scan.

At first, I wasn't expecting anything major. Like most reconnaissance phases, I just ran a standard content discovery process to see if anything interesting was exposed. During this, I came across a file:

https://www.[REDACTED].com/.vs/slnx.sqlite

This immediately stood out. The .vs directory is typically associated with development environments and is not meant to be publicly accessible. I reported it, and it was accepted as a Medium severity issue.

But that's where things got interesting.

🧠 Turning to AI for deeper analysis

At that point, I wasn't fully sure how to interpret the contents of the file. Instead of manually digging blindly, I used an AI assistant (Claude) to help analyze and extract meaningful patterns.

This turned out to be a key decision.

The analysis revealed multiple internal directory structures and hidden paths that were actively being used by the application. These were not documented anywhere publicly and were clearly part of the backend architecture.

Armed with this information, I expanded my testing scope and began targeted fuzzing against the discovered paths.

🔥 Critical discovery: exposed credentials

During this phase, I discovered a highly sensitive endpoint:

https://www.[REDACTED].com/whatsapp/credentials.json

This file exposed Google service credentials, which I validated and confirmed could lead to complete Google service account takeover, potentially allowing unauthorized access to backend services depending on configuration and scope.

After validating the exposure and confirming its sensitivity, I reported it immediately.

The result:

Classified as Critical
Assigned CVSS 10.0
Treated as a high-impact misconfiguration involving credential exposure

📊 Additional findings

While continuing the assessment, I also identified several other endpoints exposing internal server data and configuration details. These were less severe individually but still meaningful from an information disclosure perspective.

These were later triaged as Medium severity issues.

💰 Outcome

In total, the combined findings from this single reconnaissance flow resulted in $,$$$ in bounty rewards.

🧩 Key takeaway

What started as a routine directory scan turned into a critical discovery chain:

A seemingly low-impact exposed file (.sqlite)
AI-assisted structural analysis of hidden directories
Targeted fuzzing based on extracted insights
Discovery of real credential exposure

The biggest lesson for me was simple:

Even small misconfigurations can act as entry points to much larger security issues — especially when combined with structured analysis and persistence.

AI didn't replace the research process, but it significantly accelerated the ability to interpret and act on what I found.

#bug-bounty #application-security #web-security

< Go to the original