How To Report a Vulnerability which is not a part of the VDP Program?

Hi, Ajak Amico’s welcome back to another blog today. Today I will share How To Report a Vulnerability which is not a part of the VDP Program and how I reported an SQL injection bug in one of the biggest e-commerce site in my city, which doesn’t had a bug bounty program, Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.👇

Follow our Youtube Channel: @ajakcybersecurity (361Videos)

Follow on Instagram: @ajakcybersecurity

We are close to 1K Followers, Kindly press that follow button To support me :)

PS: Before starting the website, the email address, and photo shown below, are just for demo purposes and available publicly.I tend to respect everybody privacy, Thanks :)

Ok, Now many of us would like to test one of our favourite domains, which is not a part of bug bounty or VDP programs, and if you see, it would be one of the biggest shops in your city. Have you ever wondered how can you report this? let me help you with it

When it comes to hunting bugs in a non-VDP program, you just need to make sure that your Bug falls under either P1orP2, report bugs like SQL injection to leak customer data, bypass admin Panel to Deface the whole website, Remote code execution to breach sensitive data, Price tampering bug, Account takeover, or bugs which affect their reputation or cause financial damage. The reason to say this is point one, the website doesn’t have a VDP, and point 2 is they won't see through the issue if your severity is low.

For Testing purposes, I have taken a Website named https://supersaravanastores.com/ this domain is one of the biggest supermarkets in my city, but it doesn't have a bug bounty program. Let me show you the steps now.

This is the first step you just need to do if you find a P1 bug, go to their contact page, and see if you can find any phone number or Email-address, if you find a phone number, a customer care will speak with you, ask them to escalate the call to their manager, try make them to understand the situation and bug impact, or else ask the manager for the tech team department contact. Writing an email to the company found on contact us page is completely useless. They won’t even see it. ok, Now to whom you can write an Email to report this bug?

The second step is by using an extension called as Hunter, this is an extension, where it collects email addresses from passive information gathering technique, where we can find the email addresses of people working in that specific organization, Chances are there you can Find the Email addresses of Tech Team members, or even CEO of the company. if you find the Email address of a tech team member, try to write a technical report and submit it, if you find a CEO's email address, write an email stating that you have found a bug which can leak customers' details, and can cause reputation damage to your company. you can take a look at the screenshot of this, below is the image of people who work in Canva organization. but what if you can’t find it? which takes me to the next point.

An alternative extension for Hunter extension is ‘The Harvester’ a CML Tool from Git Hub.

The 3rd way to report a bug is by using LinkedIn, you can find people working for their organization, if you find them, you can easily, find a way to report and escalate it easily. To do so simply go to Linkedin and search for the organization name, like the below screenshot.

As you can see, I searched the organization name, and it showed me a name Dinesh Ellappan, who is a current manager at Saravana stores, you can simply connect with him, and try to state the impact of the bug, or escalate to the IT team. and also the company name is also visible which is registered in LinkedIn, if you want to find more people, simply go inside the company profile and navigate to people as mentioned in the below screenshot.

Once you navigate you can see people who work for their company, simply, skim through the profile and see if anybody works in the IT team, to escalate the issue, as below screenshot.

As you can see a member is working as an Application support specialist, and he may be an IT team member, you can report it to him, and even the Vice president of the organization is also there, so you can report the bug severity and impact to him to escalate the issue to the IT team.

If you can’t find either of the above options, go to the head office physically and see the manager, prepare a PPT and Detailed report for both technical and non-technical people, and submit the issue. simply type your target name head office in Google, as mentioned in the screenshot below.

As you can see the the Saaravana store head office is in Pursasawalkam, Just go in and see the location. and go report it in person.

Ok, let me tell you, Don’t demand anything straight away, asking I want this amount of bounty or goodies try to be intelligent here, if you are a college student, ask them to write an appreciation mail for Finding a bug and saving the company's reputation damage with CEO sign or stamp. Trust me this will help you to boost your resume when you apply for jobs, second thing is connecting with people. when you go to head office, you will see people in higher positions, make good communication with them, and use your social engineering tactics to build a friendly and professional conversation. Lastly, if you are a college student, try to ask them for an unpaid internship with the organization. This will help you to get a job very easily when you try to apply for Entry level roles. and only while leaving ask them if I can get any goodies or bounties, mostly they won’t give you but try to ask them in a sarcastic way. Sometimes you may be lucky :)

Back in 2021, I found an SQL injection bug in one of the biggest e-commerce sites in my city which didn't have a bug bounty program, the site is organization Pothys.

I found an SQLI, Account takeover, OTP bypass, Price tampering like the site was fully filled with vulnerabilities, it was like a testing site for me, I was a beginner at that time, so I called customer care and said, I found a bug and has several impacts, they couldn't even understand what I was trying to say, again called the customer care and asked them to escalate to the manager, he said I will try to contact the IT team, in mean while I wrote a report to and submitted to an email address which was in the contact page. Waited for days, but no reply, at that time I did not know about this LinkedIn and stuff, so me and my niece a manager at Cognizant, decided to go to the head office after 3 Weeks, to speak about this issue. I created a PPT for both technical and non-technical and also a detailed report, When I went there was a manager, and I talked about the impact of every bug, he asked me to send all the details via his mail, so he could escalate to the IT team, In return I asked them for an appreciation mail, and submitted my email address and came back, after 3 Months they completely patched their whole website, but didn’t get any appreciation mail back :( Anyway, hope you would have enjoyed reading this blog. Have fun will meet you Next time.

PS: If you know any alternative way to report a bug which is not a part of the Bug Bounty Program, Post it in the Comment section. Let everybody learn :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity