PAID TO BREAK IT — Issue #1: Five Disclosed Payouts Dissected
Five real disclosed bug-bounty payouts from 2025–2026 — a $24,000 Meta OAuth chain, a critical SSRF in HackerOne's own platform, two IDOR/BOLA findings (one paying $15,000), and a WAF documentation flaw — each broken down by vuln class, program, and the skill ladder a beginner needs to get there.
PAID TO BREAK IT — ISSUE #1
Five disclosed bug-bounty payouts: what broke, what it paid, and the skill path to get there.
| # | Vuln class | Program | Payout |
|---|---|---|---|
| 1 | OAuth / session theft chain | Meta (HackerOne) | $24,000 |
| 2 | SSRF via analytics webhook | HackerOne (self) | Critical |
| 3 | IDOR in OOO calendar API | Nextcloud (HackerOne) | Disclosed |
| 4 | IDOR in user profile API | Anonymous private | $15,000 |
| 5 | WAF config logic flaw | Google VRP | $500 |
Note: This inaugural issue draws on late-2025 / early-2026 disclosures to establish the format. From Issue #2, coverage tightens to a rolling 7-day window.
#1 · datr Cookie Theft — $24,000 · Meta
Vuln class: OAuth token exfiltration via Graph API batch request
Researcher: Youssef Sammouda (@samm0uda) · January 2025 1
Sammouda extracted Meta's
datr device-identifier cookie through crafted Graph API batch requests — no user click required, entirely via API. With datr in hand, an attacker can trigger trusted-device account recovery and bypass secondary verification, including with AI-generated identity documents.Core transferable skill: API surface mapping — finding endpoints that expose high-value tokens as a side-effect of normal function.
| Skill step | What you need |
|---|---|
| Foundation | OAuth 2.0 flows (auth code, implicit) — PortSwigger OAuth labs |
| Intermediate | Meta Graph API batch format; prior Graph API write-ups |
| Advanced | Trusted-device recovery flows; chain across account recovery + bypass vectors |
#2 · Analytics SSRF — Critical · HackerOne
Vuln class: Server-Side Request Forgery (SSRF)
Report: HackerOne #2262382 · 2025 2
An attacker-controlled URL in the analytics-report feature wasn't sanitized before being used in a server-side fetch — letting a researcher make HackerOne's own infrastructure call internal endpoints, including cloud metadata services.
Why SSRF is Critical in 2025: Cloud apps run inside VPCs with instance metadata endpoints (AWS
169.254.169.254, GCP, etc.) that return temporary credentials. SSRF that reaches metadata is a near-direct path to credential theft.Hunting pattern: Any feature where a URL you control is consumed server-side — webhooks, PDF renderers, link-preview, analytics exporters.
| Skill step | What you need |
|---|---|
| Foundation | HTTP request flow: server-side vs client-side fetch |
| Intermediate | Cloud metadata endpoint structure (AWS IMDSv1 vs v2, GCP); PortSwigger SSRF labs |
| Advanced | SSRF filter bypasses: IP encoding, DNS rebinding, open-redirect chains |
#3 · Nextcloud OOO BOLA — Disclosed
Vuln class: BOLA / IDOR
Report: HackerOne #3382343 · December 2025 3
The
/ocs/v2.php/apps/dav/api/v1/outOfOffice/{userId} endpoints checked authentication but not authorization — any authenticated user could read another user's private OOO data (vacation dates, destination, personal message) by swapping the userId in the path.The canonical BOLA pattern: the API validates who you are, but not whether you own that resource.
Beginner shortcut: Nextcloud is open source — run a local instance, read the source, then hunt the deployed version.
| Skill step | What you need |
|---|---|
| Foundation | Auth vs authorization: OWASP API1 Broken Object Level Authorization |
| Intermediate | Intercept API calls in Burp; identify object IDs in paths and request bodies |
| Advanced | Enumerate IDs systematically; target endpoints where PII or business logic sits behind BOLA |
#4 · IDOR in User Profile API — $15,000 · Anonymous
Vuln class: IDOR
Researcher: Krishna Kumar (@xalgord) · March 2026 4
The program had just launched a new profile management system — new code, new authorization gaps. The profile API accepted a
userId parameter with no ownership check; any authenticated user could view, modify, or delete anyone else's private profile data. Disclosed in 12 days, paid at $15,000 out of a $25,000 critical ceiling.What made it findable: Kumar read the scope document three times. It explicitly flagged the new profile system as in-scope. New code is high-yield precisely because it hasn't been through extensive security review.
Tools needed: Burp Suite Repeater + a second test account. The judgment is knowing which parameter controls which object, and testing whether the server validates ownership.
#5 · WAF Docs Bypass — $500 · Google VRP
Vuln class: Logic flaw in WAF configuration template
Researcher: Joshua Rogers · December 2025 5
Google's own Cloud Armor docs instructed users to write host-header rules using
.contains():if (request.headers['host'].lower().contains('test.example.com')) { allow all; }Setting a hostname like
test.example.com.attacker.com passes the check. The correct pattern — .endsWith('.example.com') — was absent. Google fixed the docs and paid $500.What's different here: The bug was in the instructions companies use to configure their security tooling — creating misconfigured WAFs at scale across every customer following the guide.
Note on payout: $500 is modest for a finding with broad configuration impact. Rogers published a frank account of the payout process — worth reading before navigating Google VRP for the first time. 5
What the Programs Paid in Aggregate
Google VRP paid out $17.1M in 2025 (+40% YoY); the top Chrome researcher earned $811,000, with full-chain sandbox escapes paying $250,000 each. 6 HackerOne Live Hacking Events paid out $4.3M across 2025. 7 Immunefi has crossed $100M all-time; median confirmed payout is ~$2,000, average skewed to ~$52,800 by occasional critical findings. 8
| Program / finding | Amount |
|---|---|
| Google VRP — total 2025 | $17.1M |
| HackerOne Live Hacking Events — total 2025 | $4.3M |
| Immunefi — all-time total | $100M+ |
| Chrome full-chain sandbox escape (single finding) | $250,000 |
| Meta datr cookie chain (single finding) | $24,000 |
| IDOR user profile — anonymous program (single finding) | $15,000 |
The gap between a $500 docs bug and a $250,000 Chrome exploit makes the skill ladder real: vuln class alone doesn't set your earnings — scope, platform, impact chain, and severity multipliers do.
참고 출처
- 1Eight insane Meta write-ups — Disclosed. Jan 19, 2026
- 2HackerOne Report #2262382 — Server Side Request Forgery via Analytics Reports
- 3HackerOne Report #3382343 — BOLA/IDOR in Out-of-Office API
- 4Finding an IDOR in User Profile API: A $15,000 Journey to Critical — InfoSec Write-ups
- 5My 2025 Bug Bounty Stories — joshua.hu
- 6Google Paid Out $17 Million in Bug Bounty Rewards in 2025 — SecurityWeek
- 7Disclosed. February 9th, 2026 — getdisclosed.com
- 8Best Web3 Bug Bounties in 2026 — sherlock.xyz
이 콘텐츠를 둘러싼 관점이나 맥락을 계속 보강해 보세요.