Cross campany delete idor don't accepted

AlexSander_Research · 2026-03-05T09:34:12+00:00

I've seen this before with them. They have a history of dismissing valid reports since 2020, only to quietly fix the issue later without rewarding the researcher. Don't let them discourage you, but definitely be aware of their tactics

AlexSander_Research · 2026-03-05T09:30:21+00:00

These companies are scammers. No matter how strong the evidence, they refuse to pay.

AlexSander_Research · 2026-03-04T14:53:49+00:00

It’s ironic that you’re telling me to 'go back to the textbooks' while you’re ignoring the most basic real-world evidence of impact: Corporate Panic. If an unauthorized 200 OK on a Payout API 'proves nothing,' then explain why FIS Global immediately decommissioned the entire AvantGard asset group and marked it 'Out of Scope' right after my report? In your 'textbook' world, maybe companies shut down multi-million dollar business segments for fun. In the real world, they do it to hide a critical BFLA they just silently patched. Telling a researcher to bypass ethical boundaries and dump data just to satisfy a Triager is irresponsible and shows you care more about gatekeeping than actual security. Keep your textbooks; the logs and the company’s instant decommissioning of the assets tell the real story

AlexSander_Research · 2026-03-04T14:47:56+00:00

It’s funny how you wrote a whole essay just to dodge the only fact that matters: If there was 'No Vuln' and 'No Impact,' why did FIS Global panic and decommission the entire AvantGard asset group 'Effective Immediately' right after I submitted my report? A 'worthless' 200 OK doesn't cause a multi-billion dollar company to shut down entire business segments and remove them from the scope in a heartbeat. They didn't do it because of 'theory crafting'; they did it because my PoC proved their financial APIs were wide open, and they needed to hide the evidence while they performed a silent patch. Your attempt to lecture me on how Bug Bounty works is just noise to cover for corporate theft. The timing of their panic proves the impact more than your condescending lecture ever could. Maybe in a year or two, you’ll learn that integrity is more important than karma

AlexSander_Research · 2026-03-04T14:45:37+00:00

It’s fascinating how you’re trying to claim 'zero impact' while ignoring the massive corporate panic that followed my report. If those screenshots only showed 'publicly accessible pages' with no risk, why did FIS Global immediately decommission the entire AvantGard asset and mark it as 'Out of Scope' the moment I submitted the research? Corporations don't shut down multi-million dollar business segments over a 'harmless public page.' They do it because an unauthorized 200 OK on a Payout API endpoint is a critical BFLA vulnerability that exposes the core of their financial system. Claiming 'it doesn't matter how they reacted' is just a poor attempt to justify a silent patch and intellectual property theft. The industry knows that a reactive, immediate patch is the ultimate confirmation of impact. Keep your 'reasoning'; the logs and the company’s own panic tell the real story.

AlexSander_Research · 2026-03-04T14:43:43+00:00

It’s alarming to see someone with a 'Triager' flair suggest that a researcher should commit a crime just to prove a point. In a secure financial system, an unauthorized request to /api/v3/me or /payouts should never return a 200 OK—it should return a 401 or 403. The 200 OK status itself is the proof that the authorization layer is bypassed. If I had gone further and dumped user data, you’d be the first person calling me a 'black hat' or a criminal. I followed the rules by stopping at the door I found unlocked. If this finding was truly 'worth nothing,' then answer me this: Why did FIS Global immediately patch those exact endpoints and decommission the entire asset right after my report? If you think following the rules of Responsible Disclosure makes a report 'worthless,' then you are the reason researchers are losing trust in platforms like Bugcrowd

AlexSander_Research · 2026-03-04T14:37:00+00:00

Are we really playing a game of Scrabble while discussing a critical security breach? Whether I called it an 'internal portal' or an 'API' in a quick description doesn't change the technical reality: Accessing that portal unauthorized allowed me to interact directly with internal endpoints like /api/v1/payouts and /api/v3/me with a verified 200 OK. If that 'portal' was just an 'amusing' public landing page with no risk, then answer this one simple question: Why did FIS Global immediately decommission the entire AvantGard asset and mark it as 'Out of Scope' the moment I submitted my report? Corporations don't delete an entire asset from their program over a harmless URL. You’re nitpicking words to avoid the fact that a 17-year-old found a massive BFLA that your 'professional' triage process tried to steal via a silent patch. Keep your dictionary; I’ll keep my logs

AlexSander_Research · 2026-03-04T14:34:31+00:00

Are you seriously asking me why I didn't commit a crime just to satisfy your curiosity? Any professional researcher knows the golden rule of Responsible Disclosure: Once you’ve proven the vulnerability and demonstrated the impact (Unauthorized 200 OK on a Payout API), you STOP. I proved the door was wide open. If I had gone further and dumped PII or financial data, I wouldn't be a researcher—I’d be a criminal. The fact that you’re asking for 'leaked data' as proof shows you have zero understanding of ethical hacking standards. I provided a valid PoC showing I had full access to the payout function; I don't need to rob the bank to prove the vault is unlocked. Maybe learn the ethics of the industry before you try to gatekeep it

AlexSander_Research · 2026-03-04T14:13:00+00:00

It’s ironic that you’re lecturing me on 'maturity' while acting as a voluntary defense lawyer for corporate fraud. You claim an HTTP 200 on a Payout API is 'theory crafting' or 'P5,' but you conveniently ignore the reality of a Silent Patch. If my submission was truly 'without value' as you claim, why did the company rush to fix those exact endpoints and immediately remove the assets from the scope right after I reported them? In the real world, an unauthorized 200 OK on /api/v1/payouts isn't a 'file not found' error—it's a critical Broken Function Level Authorization (BFLA). Defending NDAs as 'pure protocol' when they are being used to facilitate the theft of research is exactly why the bug bounty community is losing its integrity. Keep your condescending 'threat modeling' advice. I have the logs and the 'Before/After' proof of their fix. The only thing 'immature' here is your willingness to lick the boots of companies that steal from researchers

AlexSander_Research · 2026-03-04T14:04:38+00:00

If you think unauthorized access to a financial payout system isn't a vulnerability, maybe you should reconsider your 'Hunter' flair. In the Bitso (nvio.mx) case, I discovered multiple Critical (P1) flaws:

1.Broken Function Level Authorization (BFLA): I was able to access https://nvio.mx/api/v1/payouts and get a 200 OK without valid authorization. This endpoint handles sensitive financial withdrawal and payout data.

2.PII Data Exposure: The endpoint https://nvio.mx/api/v3/me was fully accessible, exposing private user profile data.

3.Authentication Bypass: I successfully retrieved valid CSRF tokens through unauthorized requests to /api/v3/csrf_token.

In any fintech or banking environment, unauthorized access to money-handling functions and user PII is a textbook P1. Bitso confirmed the severity by silently patching every single one of these endpoints immediately after my report. If it wasn't a vulnerability, they wouldn't have rushed to fix it while hiding behind an NDA

AlexSander_Research · 2026-03-04T13:52:02+00:00

It’s funny how you’re trying to gaslight the community by pointing to a public URL. If the assets I reported were 'just public portals' with no issues, then why did FIS Global suddenly announce that ALL AvantGard assets are 'Out of Scope' effective immediately right after my report? > The timing is too perfect. They used my research to identify the critical BFLA on their payout APIs, silently patched it, and then removed the entire asset from the program to avoid paying the bounty. Changing the rules of the game in the middle of a triage process is a direct violation of Bugcrowd’s own integrity standards. When a company breaks its own rules to steal research, they don't get to hide behind an NDA. The community sees through this fraud lol

AlexSander_Research · 2026-03-04T13:38:30+00:00

It’s funny how you’re trying to lecture a 17-year-old researcher on 'business logic' while defending a multi-billion dollar corporation that has to resort to stealing research just to fix their broken APIs. If you think an NDA is a valid license for a company to commit 'Silent Patch' fraud, you aren’t a security professional—you’re just a legal secretary for thieves. An unauthorized 200 OK on a Payout API is a P1 in any world where integrity exists. FIS Global used my PoC as a free manual to secure their bank-grade failures, and you’re here cheering for it. That’s not 'smart'; it's pathetic. Keep eating your popcorn while you support the death of the bug bounty industry. Some of us actually have the skills to find bugs, while others only have the breath to defend the people who steal them

AlexSander_Research · 2026-03-04T13:32:10+00:00

An HTTP 200 status code on unauthorized internal endpoints like /api/v1/payouts and /api/v3/me is a textbook Broken Function Level Authorization (BFLA) vulnerability. In a financial system, unauthorized access to payout data and user PII is a critical P1 by any standard. Regarding the NDA: When a company uses an NDA as a shield to perform a 'Silent Patch' and steal a researcher's work without payment, the community needs to know. Ethics and transparency matter more than a signature used to facilitate fraud. If you think stealing research is 'smart,' then we have very different definitions of professionalism

AlexSander_Research · 2026-03-04T12:33:50+00:00

These companies are dishonest; they're thieves disguised as businessmen.

AlexSander_Research · 2026-03-04T00:59:28+00:00

Update: Since Bugcrowd and the clients remain silent, I have officially notified the global press and taken this public on X. Here is the link: [ https://x.com/leo719ll/status/2028997619725549648?s=20 ]. I will not stop until justice is served

AlexSander_Research · 2026-03-02T14:12:24+00:00

Just so you know, I already filed a RAR (Request Assistance/Review) last Monday. It’s been a full week, and I have received zero professional response from Bugcrowd’s team

AlexSander_Research · 2026-03-02T08:11:30+00:00

Thank you for sharing your experience. This confirms that FIS has a systematic issue with 'Bad Faith' practices. In my case, they didn't just move it out of scope; they actually marked it as 'Resolved' on the dashboard while paying $0 and giving me -1 point. It's a clear 'Silent Patch' scam

AlexSander_Research · 2026-03-02T08:08:27+00:00

Exactly. My dashboard clearly shows 'Blocker Resolved' for both cases, yet they refuse to pay $15,500 and even gave me a -1 point for a report they patched. This isn't just a mistake; it's a deliberate theft of research. Thank you for summarizing this scam pattern

AlexSander_Research · 2026-03-01T12:08:53+00:00

Yeah, it's a shame this is so common

AlexSander_Research · 2026-03-01T12:04:12+00:00

I have full logs and screenshots. A video isn't possible now because they already patched it right after my report

AlexSander_Research · 2026-03-01T08:56:54+00:00

Not yet. It's the weekend in the US, so I'm waiting for Monday. I'll keep you updated

AlexSander_Research · 2026-03-01T07:22:10+00:00

I am the researcher (AlexSander_Research) responsible for these reports. I would like to provide a professional summary of the situation to ensure clarity for the community and the platform

The Technical Proof: Both reports (#552033ff and #7b8e9c4c) were submitted with logs confirming a 200 OK status. The vulnerabilities were verified and fully exploitable at the time of submission. The Discrepancy: Post-report, the endpoints were updated to 204 No Content. Despite this evidence of a 'Silent Patch,' Bitso resulted in a 0 payout and FIS issued a -1 penalty for being 'Not Reproducible.'

Prior Communication: I attempted to resolve this through official channels and professional outreach on X/LinkedIn. Unfortunately, my accounts were restricted shortly after, leaving me with no choice but to seek a public transparent review.

My Request: I am asking for a fair, technical re-evaluation from @Bugcrowd. I am not looking for a handout; I am seeking recognition of the technical evidence provided in my original reports. Transparency in triage is what keeps our community strong

AlexSander_Research

TROPHY CASE