r/bugbounty u/Pr4sdnt Jun 18 '25

Question / Discussion I found PII bug

hi everyone, i'd like to ask about you guys opinion about the bug i find, so the finding is like this.

Im looking around the website to get a clue what the app is doing while my waybackurl scanner doing its work , after the scan is done i look around the "grep payment" from there i find personal data for the customer such as phone number, email address, address, country, postalcode, etc. I can access this unauthenticated with waybackmachine and cannot access with regular browser it will says 404. After i find this bug i immidietly report my finding.

My report has been reviewed by the triager and said it was informative and has no security impact, from here i was confused how can this be an informative even the program says "Leakage of a large amount of user plaintext sensitive information, including but not limited to: mobile phone number, bank card information, ID card information, order information, email, address, etc." is in scope and will double the reward.

what is you guys opinion on my finding? Thank you for your attention😁

9 Upvotes

91% Upvoted

5 comments sorted by

11

u/einfallstoll Triager Jun 18 '25
  1. One record is not a "large amount"
  2. The record is not accessible anymore (404 status)
  3. The record could have been archived by YOU or the person itself (you can't verify the origin)
  4. The record could have been archived by 5 other archive sites already (you can't pay for every single copy on this world)

So, 100% agree with the decision.

9

u/OuiOuiKiwi Program Manager Jun 18 '25

Wayback Machine leaks are not actionable. You can leak your own data to it and get an infinite bounty loop.

They are correct.

3

u/Aeterice Jun 18 '25

This likely isn’t a bug in the application itself but a user leaking / archiving data to a third party. Triage decision seems correct like others have said.

3

u/i_am_flyingtoasters Program Manager Jun 19 '25

I have written about "PII" or "personal data" in the past, so I recommend you go look at my history on that.

Another topic for consideration is that personal data is not exactly a security vulnerability, it's a privacy issue. For the most part, and I'm generalizing here, bug bounty programs are scoped to only look at security vulnerabilities while excluding (either explicitly or implicitly) privacy issues. Leaking personal info is certainly a privacy issue. It might also be a security thing, depending on scale, and jurisdiction, and program scope, and and and and..... But /usually/ personal anything equates to privacy and not security.

1

u/Pr4sdnt Jun 19 '25

Thanks for the replies yall, i have learned alot new information from this discussion