好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读文章,理解其主要内容和重点。 文章讲的是一个安全研究人员两次报告同一个QA环境中的漏洞。第一次报告后,虽然问题被标记为“已解决”,但实际上只是修复了特定的端点,而没有解决根本问题——普遍的访问控制缺失。三个月后,研究人员再次检查同一环境,发现新的敏感文件仍然暴露在外,导致了另一个漏洞报告。 这次报告最初被视作重复,但经过沟通后被认可,并获得了500美元的奖励。最终,这个QA环境的总奖励达到了1300美元。文章强调了即使问题看似解决,也应持续复查的重要性。 接下来,我需要将这些要点浓缩到100字以内。重点包括:两次报告、根本问题未解决、新漏洞、奖励情况以及复查的重要性。 最后,确保语言简洁明了,不使用任何开头模板,直接描述内容。 </think> 一位安全研究人员两次发现同一QA环境中的漏洞:最初修复不彻底导致新敏感文件暴露。尽管最初被视为重复报告,但因其涉及新数据且修复不完整而获得500美元奖励。最终总奖金达1300美元。案例强调即使问题标记为“已解决”,也需持续复查以避免遗漏。 2026-2-21 04:37:19 Author: infosecwriteups.com(查看原文) 阅读量:5 收藏
If you have already read my previous post, you know how a forgotten QA environment led to an $800 bounty. But the story didn’t end there. In the world of cyber-security, a “fix” isn’t always a “solution.”
This bug report in Hackerone is still in “Triaged” state, but since i know that they have now denied access to QA page for the public, I am writing about this report.
Three months after my first report was resolved, I went back to the same QA environment. What I found taught me a valuable lesson: Always retest, even when the bug is marked “Resolved.”
The “Incomplete” Fix
When the initial vulnerability was closed, the organization had secured the specific endpoints I reported. However, the root cause — the lack of universal access control on the QA server — remained.
While the original documents were now protected, I discovered that a whole new set of sensitive files were sitting wide open.
Part 2: New Data, Same Door
While pivoting through the QA sub-domain (data-qa.np.targetcorp.com), I noticed that the "ESG ****" and "Multi ****" sections were still serving live, restricted files.
By simply visiting the QA versions of these pages, I could download:
xxx.csv: Daily index composition data.abc.csv: High-value premium index data.- Forecast Files: Proprietary biomedical and global tech indices.
Refer below images for your reference
Press enter or click to view image in full size
Press enter or click to view image in full size
These weren’t just test files; they contained sensitive financial columns like Shares, Weights, Free Float, and Cash Dividend Amounts — data that is strictly reserved for high-paying licensed customers.
The Impact: Live Financial Benchmarks
Because this data serves as a primary benchmark for the stock market, unauthorized access is a serious revenue risk. Investors and professionals pay for this accuracy; if it’s available for free on a QA site, the business model is compromised.
The Negotiated Bounty: Duplicate or Valid?
This is where the story gets interesting. After reporting this second wave of documents, the triage team initially viewed it as a duplicate of my first report because the root cause (QA misconfiguration) was the same.
Get gopi krishnan’s stories in your inbox
Join Medium for free to get updates from this writer.
I argued that since the original remediation was clearly incomplete and entirely new, distinct datasets were exposed, it should be treated as a new finding.
The team agreed. Because not all remediation steps were applied the first time, they accepted the report as valid. While not the full original bounty, they awarded a $500 reward for the catch.
Why You Should Always Double-Back
- Remediation is Hard: Developers often patch the specific “symptom” (the link you found) rather than the “disease” (the server-wide configuration).
- Scope Expansion: As companies update their QA environments with new projects, new vulnerabilities can appear in old places.
- Persistence Pays: My total bounty for this one QA environment grew to $1,300 simply because I didn’t stop after the first “Resolved” status.
如有侵权请联系:admin#unsafe.sh