June 1, 2026

My First Bounty report which got accepted

Hey hunters, My name is Sanjeev Rathore. I am a bug bouty hunter. I am not much experienced, trying to learn the Bug hunting. This is my…

Sanjeev Rathore

1 min read

Hey hunters, My name is Sanjeev Rathore. I am a bug bouty hunter. I am not much experienced, trying to learn the Bug hunting. This is my first bug report that got accepted and gave me P5 Score.

Vulnerabilty Description

This is just a normal bug that i found. I choose a public program on the bugcrowd. I did my recon found the subdomains and used the regular steps that i usually do while starting the web pentest. I choose one of the domain to go with it and i took out all the urls using the wayback and katana. I tried changing the session values worked nothing. Tried changing the email using forgot method but worked nothing.

There was a time while testing the email functionality i thought i might have got something but the behavior was abnormal not the functionality or system.

Then i moved to surfing through the website and then i came up with the functionality of cart but when i proceeded to checkout, It redirected me to the login panel with the url https://domain.com?redirect=https://redirecturl.com this was what i saw it. The user was redirecting to the url after login successfully.

Once I confirmed the vulnerability, I changed the url to https://evil.com. After changing the url and login in successfully the user got redirected to the evil.com. This is really trust breaking scenario as a user might fall in to the phishing trap that may lead to lose of customer trust and may also lead to ATO ( Account Take Over ). I also check it with burp collaborator to confirm the request. I definitely did confirm the request with http and dns.

Conclusion

After reporting the vulnerability i waited and got the reply in 2 days and the report was triaged to p5. I was not satisfied with score because i was expecting more from this but then I realised that the report writing is more important than the vulnerability itself. Explaining the impact responsiblty and effeciently plays the major role for the report. It was fun to discover the vulnerability and had a good experience. I am learning more and hope soon i come up with $$$$ bounty.