How I Made $200 in 2 Minutes on HackerOne — Zomato Bug Bounty Program (With Real Example)
Ever imagined making money online by just finding a small security flaw? Well, let me tell you my story — how I turned a simple curiosity into $200 in just 2 minutes through the Zomato Bug Bounty Program on HackerOne! If you’re into ethical hacking (or just looking for a fun side hustle), keep reading because I’ll break it all down for you — with a real-life example.
What is Bug Bounty Hunting?
Think of bug bounty hunting as a modern-day treasure hunt, but instead of searching for gold, you’re hunting for security loopholes in websites and apps. Companies offer rewards to ethical hackers who find these vulnerabilities and report them responsibly.
Why Join a Bug Bounty Program?
- Get paid for your hacking skills!
- No coding experience? No problem! Many vulnerabilities require only logical thinking. real-world cybersecurity experience that companies actually value.
- Help companies stay secure while making money. Win-win!
How I Found a Bug on Zomato and Earned $200
Step 1: Choosing the Right Target
Instead of randomly poking around websites, I focused on Zomato’s Bug Bounty Program on HackerOne. The program detailed which vulnerabilities they were interested in, such as:
- Authentication flaws
- SQL injection
- Cross-site scripting (XSS)
- Server misconfigurations
My gut told me authentication flaws could be a goldmine, so I went for it!
Step 2: Testing for Vulnerabilities
I started playing around with Zomato’s login and authentication features. While testing, something caught my attention — the password reset mechanism. It didn’t seem to be validating requests properly. 💡
Real Example:
- I entered my email on the password reset page.
- The system sent a password reset link to my email.
- Before clicking my own reset link, I experimented with modifying the reset token in the URL.
- Boom! I was able to reset another user’s password by tweaking the token manually.
This meant an attacker could hijack random accounts just by manipulating the reset link! 🚨
Step 3: Reporting the Bug to HackerOne
Finding a bug is just half the job. To get paid, I needed to submit a clear and detailed report. I included:
- Step-by-step reproduction steps so Zomato’s security team could verify it.
- Screenshots and proof of concept (POC) video to demonstrate the issue.
- Suggested fixes to help them patch the vulnerability quickly.
Within a few hours, my report was acknowledged and validated by the Zomato security team! 🎉
Step 4: Getting Paid
Since this was a critical security flaw, Zomato rewarded me with $200! Not bad for just a few minutes of work, right? The best part — this process took only 2 minutes of actual testing once I spotted the flaw!
Tips for Beginners in Bug Bounty Hunting 🕵️♂️
- Learn the Basics: Start with security concepts like XSS, SQL injection, and authentication flaws.
- Use Bug Bounty Platforms: Sign up on HackerOne or Bugcrowd.
- Look for Simple Bugs First: Target authentication issues, IDOR (Insecure Direct Object References), and misconfigurations.
- Document Everything: The clearer your report, the faster you get paid.
- Practice, Practice, Practice: Try hands-on labs like PortSwigger Web Security Academy to sharpen your skills.
Final Thoughts
Bug bounty hunting is not just for experts — anyone with curiosity and patience can start earning! My experience with Zomato’s bug bounty program proves that with the right mindset, you can turn hacking skills into real money. So why not give it a shot? 🤩
Have questions or need help getting started? Drop a comment below! I’d love to help you on your bug bounty journey!
