The latest articles on DEV Community by P VIKRAM KISHORE (@waterbottle). https://dev.to/waterbottle https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4002655%2F9725a08c-24ad-4b77-8081-9b6189a39bd9.png https://dev.to/waterbottle en P VIKRAM KISHORE Thu, 25 Jun 2026 15:49:14 +0000 https://dev.to/waterbottle/what-i-did-during-my-summer-vacation-day-1-my-first-10-bug-bounty-reports-383f https://dev.to/waterbottle/what-i-did-during-my-summer-vacation-day-1-my-first-10-bug-bounty-reports-383f <p>Before college starts again, I wanted to document what I worked on during my vacation.</p> <p>This is the first post in a series where I'll share everything I learned over the past few months—from bug bounty hunting to AI security, GenAI engineering, and the projects I built.</p> <h2> Getting Started </h2> <p>Until recently, most of my security experience came from CTFs and intentionally vulnerable labs.</p> <p>While they taught me a lot about exploitation techniques, I wanted to understand how security works in real production applications.</p> <p>So I decided to spend my vacation participating in private bug bounty programs.</p> <h2> The Results </h2> <p>By the end of my vacation, I had submitted <strong>10 bug reports</strong> across multiple private programs.</p> <p>The findings ranged from <strong>Low</strong> to <strong>High</strong> and <strong>Expert</strong> severity.</p> <p>One of the most impactful reports involved an <strong>unauthenticated API exposure</strong> that, if abused, could have exposed information related to approximately <strong>39,070 investors and employees</strong>.</p> <p>Some of the vulnerability classes I encountered included:</p> <ul> <li>CORS Misconfigurations</li> <li>GraphQL User Enumeration</li> <li>Subdomain Takeovers</li> <li>GitHub Actions Supply Chain Risks</li> <li>Excessive CI/CD Permissions</li> <li>CSP Misconfigurations</li> <li>OAuth &amp; Authentication Issues</li> <li>Information Disclosure</li> </ul> <h2> What Bug Bounty Actually Taught Me </h2> <p>Before starting, I thought bug bounty was mainly about finding vulnerabilities.</p> <p>I quickly realized I was wrong.</p> <p>Finding a bug is usually the final step.</p> <p>Most of the work happens long before that.</p> <p>I spent hours:</p> <ul> <li>Reading thousands of lines of JavaScript</li> <li>Tracing API requests</li> <li>Mapping authentication flows</li> <li>Understanding business logic</li> <li>Following how different services communicate</li> <li>Learning why applications were built the way they were</li> </ul> <p>Some days I wouldn't find a single vulnerability.</p> <p>Other days I'd spend hours chasing something that turned out to be intended behavior.</p> <p>But every investigation improved the way I think about application security.</p> <h2> Rejections Are Part of the Process </h2> <p>One thing I learned early is that not every report will be accepted.</p> <p>Not every report deserves a bounty.</p> <p>Sometimes the issue is already known.<br> Sometimes it's out of scope.<br> Sometimes the impact isn't high enough.</p> <p>That's part of bug bounty.</p> <p>Every report—accepted or not—teaches you something new.</p> <h2> What's Next? </h2> <p>This vacation wasn't just about bug bounty.</p> <p>I also spent time learning AI security, RAG systems, LLM evaluations, observability, and building GenAI projects.</p> <p>Over the next few posts, I'll share those experiences as well.</p> <p>If you're a student thinking about getting into bug bounty, my biggest advice is this:</p> <p><strong>Don't chase bounties. Chase understanding.</strong></p> <p>The vulnerabilities come naturally once you truly understand how applications work.</p> <p>Thanks for reading, and I'd love to hear what you've been working on this summer.</p> <p>Happy hacking! 🚀</p> beginners devjournal infosec security