嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读这篇文章,理解其主要内容。 文章讲的是一个安全研究人员在测试QA环境时发现漏洞的故事。第一次报告后,问题被标记为“已解决”,但后来他再次检查时发现同样的问题依然存在,甚至有新的敏感数据暴露。最终他获得了500美元的赏金,加上之前的800美元,总共1300美元。 接下来,我需要将这些信息浓缩到100字以内。要抓住关键点:QA环境的问题、漏洞未完全修复、新的敏感数据暴露、赏金金额以及强调复查的重要性。 可能会遇到的问题是如何在有限的字数内涵盖所有重要信息而不遗漏关键点。需要确保语言简洁明了,同时传达出文章的核心教训:即使问题被标记为解决,也应复查以确保彻底修复。 最后,检查字数是否符合要求,并确保没有使用任何开头模板。这样用户就能得到一个准确且简明的总结。 </think> 一位安全研究人员在QA环境中发现漏洞后报告并获得赏金。尽管问题被标记为“已解决”,但复查发现漏洞未完全修复,新的敏感数据暴露。最终获得500美元赏金(总计1300美元),强调复查的重要性。 2026-2-21 04:37:19 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏
If you have already read my previous post, you know how a forgotten QA environment led to an $800 bounty. But the story didn’t end there. In the world of cyber-security, a “fix” isn’t always a “solution.”
This bug report in Hackerone is still in “Triaged” state, but since i know that they have now denied access to QA page for the public, I am writing about this report.
Three months after my first report was resolved, I went back to the same QA environment. What I found taught me a valuable lesson: Always retest, even when the bug is marked “Resolved.”
The “Incomplete” Fix
When the initial vulnerability was closed, the organization had secured the specific endpoints I reported. However, the root cause — the lack of universal access control on the QA server — remained.
While the original documents were now protected, I discovered that a whole new set of sensitive files were sitting wide open.
Part 2: New Data, Same Door
While pivoting through the QA sub-domain (data-qa.np.targetcorp.com), I noticed that the "ESG ****" and "Multi ****" sections were still serving live, restricted files.
By simply visiting the QA versions of these pages, I could download:
xxx.csv: Daily index composition data.abc.csv: High-value premium index data.- Forecast Files: Proprietary biomedical and global tech indices.
Refer below images for your reference
Press enter or click to view image in full size
Press enter or click to view image in full size
These weren’t just test files; they contained sensitive financial columns like Shares, Weights, Free Float, and Cash Dividend Amounts — data that is strictly reserved for high-paying licensed customers.
The Impact: Live Financial Benchmarks
Because this data serves as a primary benchmark for the stock market, unauthorized access is a serious revenue risk. Investors and professionals pay for this accuracy; if it’s available for free on a QA site, the business model is compromised.
The Negotiated Bounty: Duplicate or Valid?
This is where the story gets interesting. After reporting this second wave of documents, the triage team initially viewed it as a duplicate of my first report because the root cause (QA misconfiguration) was the same.
Get gopi krishnan’s stories in your inbox
Join Medium for free to get updates from this writer.
I argued that since the original remediation was clearly incomplete and entirely new, distinct datasets were exposed, it should be treated as a new finding.
The team agreed. Because not all remediation steps were applied the first time, they accepted the report as valid. While not the full original bounty, they awarded a $500 reward for the catch.
Why You Should Always Double-Back
- Remediation is Hard: Developers often patch the specific “symptom” (the link you found) rather than the “disease” (the server-wide configuration).
- Scope Expansion: As companies update their QA environments with new projects, new vulnerabilities can appear in old places.
- Persistence Pays: My total bounty for this one QA environment grew to $1,300 simply because I didn’t stop after the first “Resolved” status.
如有侵权请联系:admin#unsafe.sh