Query Regarding Bug Bounty Hunting

I am working on a public RVDP and i came across a security measure bypass in which if a user enters wrong password 3 times in a row he’s locked out of the account and is asked for a OTP which is sent on his phone. Where as if we clear browser cookies and login into account again from the same browser or a different browser we are allowed to login into account without any restriction. This is a possible security mitigation bypass issue as it bypasses the protection placed by the respective platform for protecting user’s account getting into wrong hands. Will this be accepted as a bug? Any answer will be appreciated. Thank you.

Hello, great job. Yes, this will be accepted.

That’s good to hear but is there any thing i can do to accurately locate where the error lies? Like in which segment of the designed application. The program is not open source. I want to be sure about what i am reporting and also don’t want to get replies from Devs asking for more detailed information and making everyone waiting in the line.

If you can describe a working POC and how the devs can recreate the flaw, they will accept the submission. As for the underlying error it will depend on the where the fault lies, in the framework being used or is it misconfigured.

1 Like

Thank you very much for timely reply to my query. I look forward to receive a positive reply from the Dev team of the website/application :slight_smile:

1 Like

Welcome, let me know how it goes.

Is there any term that describes this bug? Maybe violation of design principles or something like that?

This sounds to me as a logical bug which has to do with cookies… :thinking:

Or you can just describe it as password limit tries bypass… :thinking: :thinking:

1 Like