CyberSafe Network

Happy to share that I received a bug bounty reward for responsibly disclosing a valid security vulnerability related to 2FA/TOTP implementation.

The issue was successfully validated and fixed by the security team. Grateful for the recognition and continuously learning in the field of cybersecurity & bug bounty hunting.

Vulnerability Accepted – Security Research Update

I’m pleased to share that my recently reported vulnerability has been officially accepted for further assessment and remediation through a structured security review process.

This vulnerability was identified in an account lifecycle and session management flow within a cloud-based system.

⸻

Vulnerability Details:

The issue was related to improper data handling after account deletion. It was observed that:

• After account deletion, user session remained active under certain conditions
• User-related data (such as contact entries and Gmail/contact information) was still accessible
• Data added before deletion remained visible even after the account was deleted
• In some cases, new data could still be added and persisted after deletion

This behavior indicates that user data was not being fully cleared or invalidated upon account deletion, leading to potential data persistence and privacy exposure risks.

⸻

Security Impact:

Under specific authenticated scenarios, this could potentially lead to:

* Unauthorized access to residual user data
* Privacy exposure of stored contact information
* Incomplete account data removal behavior

From a security standpoint, this aligns with a medium to high severity (P2-level) issue depending on impact assessment.

⸻

💰 Bug Bounty Context:

In the Company , vulnerabilities of this nature in cloud and application systems are typically rewarded under structured bug bounty programs, where payouts can range from $100 up to $5,000 or more, depending on severity, scope, and impact.

Given the nature of this issue and the fact that it has now been accepted and moved into the remediation phase, I appreciate the structured handling of security reports and hope for a fair evaluation and reward aligned with the impact.

⸻

Looking forward to the final resolution and continuing my journey in responsible vulnerability research.

Reported multiple authentication & session vulnerabilities (2FA, OTP, JWT)
✅ Key issues successfully mitigated and deployed
One risk accepted by the team
💬 Reward discussions currently in progress

Critical Security Vulnerability Identified (P1 Severity)

I discovered multiple authentication and session management issues in an application that, when combined, could potentially lead to full 2FA bypass and account takeover.

Summary of Findings:

The system was vulnerable to:

* Replay of 2FA disable requests
* Acceptance of old OTPs
* Bypass of password re-authentication for sensitive actions
* Improper JWT/session revocation after logout
* Lack of anti-replay protection on critical endpoints

⚠️ Impact:

These issues together could allow an attacker to:

* Reuse previously intercepted 2FA disable requests
* Disable 2FA without proper verification
* Maintain access even after logout
* Potentially achieve full account compromise

Testing Approach:

Conducted responsible security testing using a test account
*Intercepted requests via Burp Suite
* Performed controlled proof-of-concept replay testing
* Full PoC workflow was documented and recorded

Status:

The issue was reported responsibly to the security team.
They acknowledged the finding and confirmed that a fix is currently in progress.

⸻

This experience highlights the importance of strong controls around:

* Authentication
* Session management
* Token invalidation
* Anti-replay mechanisms
* Secure 2FA lifecycle implementation

I identified and reported a security vulnerability related to missing session invalidation after password change/reset in the customer account system. During testing, I observed that active sessions remain valid even after a password update, which could potentially allow unauthorized continued access if a session is compromised.
The issue was carefully analyzed and reported with a detailed proof of concept (PoC). It was reviewed and reproduced by the internal security team, and based on their assessment, the vulnerability was treated as a high severity / critical security issue internally and scheduled for remediation in the next deployment.
According to the company’s internal evaluation criteria, the issue was accepted, and I have been confirmed as eligible for a reward for this responsible disclosure. A demonstration of the vulnerability was also shared to assist with validation and fixing the issue.




*******onTesting

I’m excited to share that a security vulnerability report I submitted has been successfully validated and accepted.
The team acknowledged the issue and has already implemented an improvement by reducing the password reset token validity time — a small change with a big impact on user security.
As a token of appreciation, I was awarded a €50 bug bounty reward
Grateful for the opportunity to contribute and continuously grow in the field of cybersecurity.
Keep learning, keep building, and keep hacking (ethically)!

🚨 Bug Bounty Achievement

Alhamdulillah, I’m excited to share that one of my recent security findings has been officially recognized and rewarded by a company.

The vulnerability was carefully identified, tested, and reported with a detailed Proof of Concept. After validation, the company appreciated the professionalism and effort behind the report and awarded me a total bounty of $150.

This journey reflects my continuous learning in Cybersecurity, API Security, and Vulnerability Research, and motivates me to dig deeper into real-world security challenges.

I’m grateful for the opportunity and looking forward to contributing more to making digital platforms safer. 🚀

I’m happy to share that my recent responsible disclosure of security issues has been officially acknowledged and rewarded. It’s always motivating to see organizations value ethical hacking and collaborative security efforts.

The reported issue involved a CORS misconfiguration that could lead to authenticated data exposure when credentials are allowed with a permissive origin policy. It’s always fulfilling to collaborate with organizations that value ethical hacking and proactive security practices.
Looking forward to contributing more towards building safer and more resilient platforms.

I responsibly reported an OTP-related security issue that could potentially impact user account security.
The security team reviewed my report, confirmed the issue, and implemented a fix by adding a daily limit on OTP requests to prevent abuse.
As a result of responsible disclosure, I received a $100 reward.
This highlights the importance of:
Proper rate limiting on authentication mechanisms
Secure OTP implementation
Responsible vulnerability disclosure
Grateful to the security team for their professional handling and quick remediation.

I’m happy to share that I recently received a €200 bug bounty reward for responsibly reporting security vulnerabilities.

During my security testing, I identified and reported the following issues:
• Multiple Active Password Reset Tokens
• Email Verification Rate Limiting Bypass

After reviewing the report with their development team, the organization acknowledged the findings and rewarded my responsible disclosure.

This experience highlights the importance of ethical hacking and responsible vulnerability disclosure in strengthening the security of modern web applications.

Grateful for the recognition and looking forward to continuing my journey in cybersecurity and vulnerability research.