Post cover image

June 11, 2026

The Bug I Almost Ignored Paid My First Bounty — And Why Context Changes Everything

Saad Noor Khan Durrani

2 min read

After the Layer3 informative and months on AnyTask with nothing to show financially, I went back to HackenProof and picked Phemex — a crypto derivatives exchange.

I wasn't expecting much. I just wanted to keep testing.

How it started

I was running Phemex through Burp Suite, going through the usual flow. Burp's JS miner flagged something — it flags a lot of things, most of them nothing. I'd learned not to get excited about its output.

But I opened the file anyway.

What I found

Inside a publicly accessible JavaScript file was a configuration object. It wasn't hidden, it wasn't encoded. It was sitting there in plain text.

The object contained:

  • Internal API URLs mapped alongside their private counterparts
  • 11 internal IP addresses
  • AWS Application Load Balancer DNS names
  • Multi-environment configurations — dev, fat, and production — all in one place

Any visitor to phemex.com could pull this file without authentication. No credentials required, no special access needed.

What I thought

My first instinct was to dismiss it. I'd been burned enough times submitting things that came back informative or out of scope. Internal IPs in a JS file felt like the kind of thing that gets marked P5 — known issue, accepted risk, thanks for reporting.

But then I thought about the target. This was a crypto exchange handling real user funds. Internal infrastructure exposure on a financial platform is a different conversation than the same finding on a marketing site. An attacker with this information knows where to look next — which services are internal, how the environments are structured, where the load balancers sit.

I wrote the report the same day.

Writing the report

I documented everything methodically — the file URL, the full configuration object, what each piece of exposed information represented, and what an attacker could do with it. I tried to make the impact clear without overstating it.

Then I submitted and waited.

I'd learned from AnyTask not to expect anything.

The response

Three days for the first response. One week to triage. Fourteen days to payment.

$50.

The same finding I almost didn't report because I thought it would be another informative. The one I talked myself into submitting because the platform was a crypto exchange and the context changed the severity.

It wasn't the amount. It was the confirmation that my read of the situation was right — that context matters, that a finding isn't just a finding, it's a finding on a specific target with specific stakes.

What I took from it

Burp's JS miner is noisy. Most of what it flags is irrelevant. But going through the noise is part of the process — the signal is in there somewhere.

And the instinct to not report something because it feels too small is worth questioning every time. The platform decides severity, not the hunter. Your job is to document what you found and make the impact clear. Let them decide the rest.

Next: staying on the same target after your first bounty — and finding something significantly more serious in the same codebase.