Security bugs aren’t always flashy. Sometimes, you don’t need to pop a shell or find an RCE to make an impact.
Sometimes… all you need is a little curiosity and a lot of recon.This is how I stumbled upon an exposed origin IP at Zerodha, India’s largest stock brokerage, and how that led to an unexpected ₹XX,000 bounty — all without writing a single exploit.
Like most bug bounty hunters, I was doing my usual late-night stroll across a domain — Zerodha’s public-facing assets.
WAF? Cloudflare.
Endpoints? Mostly locked.
But I had a hunch.
Out came Shodan, my favorite search engine for all the things you shouldn’t see.
One quick dork later:
Ssl.cert.subject.CN:"domain.com" 200And boom — I landed on an IP:
0x.0.xxx.00
An Amazon EC2 instance quietly serving traffic… and not a trace of Cloudflare in sight.
I typed in:
https://0x.0.xxx.00/login
It loaded.
No 403. No timeout. Just a clean login page staring right back at me.
I double-checked with tools: no WAF, no CDN headers, and the cert? Signed for domain.com.
Bingo.
Here’s where it got interesting. Zerodha uses Cloudflare for protection — rate limiting, WAF, DDoS, the works.
But this subdomain — sub.domain.com — wasn’t behind it.
At first glance, that might seem like a non-issue. Maybe internal, maybe forgotten.
But to an attacker?
It’s an open door.
Direct origin access means you can:
- Bypass rate limits
- Fuzz without detection
- Brute force at full throttle
- Even launch DDoS attacks — because there’s no shield in place
And it all stems from one thing: security misconfiguration.
I reported it privately through ComOlho, their bug bounty platform.
Soon after, Zerodha got back:
“Hey Swarnim, we discussed this internally… it’s not behind Cloudflare for some internal reasons. But because of your report, we’re now discussing whether to fix it. Please repost publicly — we’ll process your bounty.”
I wasn’t expecting a big payout — just happy they took it seriously.
But then…
₹XX,000 dropped into my account.
No exploit. No shell. Just impact.
- Bug bounties aren’t about breaking things — they’re about finding things that are broken.
- Even “boring” bugs matter — origin IP exposure can change the threat model completely.
- If it feels too quiet… dig deeper — sometimes the loudest vulnerabilities whisper.
Don’t chase just the CVEs.
Don’t underestimate the power of recon, curiosity, and context.
This was one IP. One misconfiguration.
And it paid off — literally and figuratively.
Thanks, Zerodha. And shoutout to platforms like ComOlho for making security collaborative and rewarding.
Time to go hunting again. 🔍💻