So I want to walk you through this one because I think the lessons matter more than the finding itself. I’m under NDA on the actual program, vendor, and target — so I’ve swapped in documentation IPs (203.0.113.x) and generalized the product. Everything else is real. The methodology, the commands, the reasoning, the mistakes, and the triage outcome; all of it is exactly how it went down.

If you’re newer to bug bounty and you’re hunting on VDPs (Vulnerability Disclosure Programs; the no-bounty ones agencies and companies use to legally accept vuln reports), this is the kind of bug you’ll trip over constantly. Knowing what to do with it is what separates a P5 from a P3.

The Setup

I was working through a federal VDP that had a handful of IP ranges explicitly listed in scope. Three of those IPs caught my eye because they all responded to HTTPS on 443, and the TLS cert hinted they were the same gateway. When I pulled them up in a browser, I got a login page titled “Please Login” generic enough that it could have been anything, but the form was clearly tied to a real backend.

That’s step one of the methodology I want you to internalize: don’t move on from a login page until you know what’s behind it. Half the people doing recon screenshot a login portal and skip it. The other half stop and figure out if it’s a static page or a real authentication surface. The second group finds the bugs.