In a late-night bug-hunting session, an ethical hacker based in India spotted an exposed origin IP at the country’s largest stockbroker, despite the fact the parent company used Cloudflare for protection.
The vulnerability could have allowed an attacker to bypass Cloudflare’s rate limits, fuzz without detection, brute force at full throttle and launch DDoS attacks.
After reporting the incident and having the vulnerability highlighted to the parent company, the ethical hacker was rewarded with a bounty payment of ₹XX,000 (approximately $312), for simply highlighting that the company had a security misconfiguration, and no actual harm was caused.
The tale serves to highlight to bug bounty hunters the importance of curiosity, reconnaissance and the fact that it is not always necessary to exploit a vulnerability to command a reward.