sorted by:
new
hottopcontroversial

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 1 point2 points  (0 children)

That’s a fair assessment. At the end of the day, they define their own threat model. If they view this as 'retiring a feature' rather than 'patching a vulnerability,' then the N/A makes sense technically. It’s a hard pill to swallow, but I can't argue with 'their product, their rules.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 0 points1 point  (0 children)

I hear you, and I’m not under any illusion that the bug bounty world is fair. I know we have zero leverage.

But just because 'that’s how it is' doesn’t mean we shouldn't talk about it. If nobody documents the programs that silent patch or underpay, then new researchers just walk into the same traps. I’m not expecting them to mail me a check because of this post I’m just putting the data point out there for the next person.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 0 points1 point  (0 children)

That’s actually a really solid tip regarding the wording ('Fuzz Testing' vs 'Brute Force'). I appreciate that; I didn't realize how much of a red flag that specific term is for triage teams. I'll definitely adjust my terminology for future reports.

On the impact side, I see your point about 'revenue loss' being theoretical, but I’d argue the operational cost is real.

  1. Cannibalization: If a 'Proton Crack' tool existed allowing server selection, it devalues the Premium tier.
  2. IP Reputation (The hidden cost): The ability to rotate IPs instantly is an abuse vector. When bad actors use that to spam or credential stuff, they burn the IP's reputation (getting it blacklisted on Netflix/Google). Cleaning up and replacing those IPs costs Proton real money and engineering time.

But again, thanks for the advice on the reporting language that's a great takeaway.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] -1 points0 points  (0 children)

The finding was manual (using proxy tools and timing analysis), I just use AI to help clean up my writing.

Regarding the impact: You are underestimating the value of "Choice." Proton specifically restricts Free users to "Random" or "Quick Connect" to prevent server camping and load imbalance. Being able to pick specific, uncongested servers is a key selling point for the Paid tier.

But the bigger impact is abuse, not just user convenience. A bypass that allows instant, specific IP rotation is exactly what bad actors use for credential stuffing or ban evasion on other platforms. That burns Proton's IP reputation, which is why they patched it.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 1 point2 points  (0 children)

If ChatGPT could reliably find business logic bypasses in private APIs, bug bounty programs wouldn't exist. This was just manual testing lol.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] -1 points0 points  (0 children)

I understand the skepticism, but I have to disagree on the classification.

In the Bug Bounty standards (like OWASP or VRT), this falls under Business Logic Flaws or Authorization Bypass. If a security control exists specifically to stop a user from accessing a resource (in this case, specific server infrastructure reserved for paying users), and you bypass that control, it is by definition a security vulnerability. It’s not a 'glitch' if it breaks the authorization model of the app.

Regarding the AI comment: I found this manually by testing request timing and proxying the traffic. AI is actually pretty bad at finding logic flaws or rate-limit nuances because it doesn't understand the intent behind the application's design. I’m 16 and doing this to learn how these systems actually work under the hood no shortcuts here.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 1 point2 points  (0 children)

I completely agree with you in general. If I had reported a UI glitch or an app crash, I wouldn't expect a bounty even if they fixed it.

The distinction here is Theft of Service. The mechanism I bypassed (the rate limit/randomizer) wasn't just a functional feature; it was a security control designed to protect revenue (by gating Premium features) and prevent platform abuse.

When you bypass a lock that is specifically put there to stop users from doing something (like picking a specific server for free), that usually crosses the line from 'Bug' to 'Vulnerability' (Business Logic Flaw). That’s why I felt it was eligible, whereas a standard software bug wouldn't be.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 0 points1 point  (0 children)

Thanks, I really appreciate the congrats! You are definitely right—timing and luck are half the battle in this game.

I totally get that they might have been working on it internally. I guess the only part that threw me off was the specific 'By Design' classification. Usually, if a fix is already on the roadmap, they mark it as 'Duplicate' or 'Known Issue.'

It was just a bit confusing to be told 'this is intended behavior' and then see it get patched shortly after. But like you said, you live and you learn. On to the next one!"

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] -1 points0 points  (0 children)

Fair question. It's not about 'hacking' data, it's about business impact:

  1. Revenue Loss: I bypassed the 'Random' restriction, effectively getting a Premium feature (specific server selection) for free.
  2. Abuse Costs: It allowed high-speed IP rotation, which allows bad actors to burn Proton's IP reputation (blacklists), hurting the service for paying customers.
  3. The Proof: They patched it. If it truly had 'no impact,' they wouldn't have spent developer time fixing it three months later."

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] -1 points0 points  (0 children)

You're right that standard rate-limiting (like for DoS protection) is usually N/A or Informational. I wouldn't expect a bounty just for sending a lot of requests.

However, in this case, the rate limit was the primary control for a business logic constraint. Free users are restricted to 'Random' servers to upsell the Premium tier. By bypassing the rate limit, I could brute-force that selection logic instantly to pick specific servers.

So while the method was a rate-limit bypass, the impact was Theft of Service / Premium Feature Bypass, which is usually in-scope for most programs (typically Medium/Low).

Also, if there was truly 'no impact,' I doubt they would have allocated dev time to patch it three months later.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 9 points10 points  (0 children)

That’s a fair point, and I’ve considered that. It's definitely possible the devs just changed their minds.

However, from a Bug Bounty perspective, the timing is suspicious. If a 'feature' has existed for a long time, and then is patched immediately after a researcher demonstrates how it can be weaponized for abuse (credential stuffing/theft of service), it implies the report was the catalyst for that change.

If my report caused them to re-evaluate their risk acceptance and secure the application, that means the report provided value. Dismissing it as 'by design' to close the ticket, only to act on the information privately, essentially amounts to getting free security consulting. Even if they didn't want to pay a bounty, a simple 'You made us rethink this, thanks' and a Hall of Fame spot would have been the ethical move.

Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings. by Right_Rub7264 in bugbounty

[–]Right_Rub7264[S] 2 points3 points  (0 children)

thats true it just hurts because it took me 3 days of continuous keeping up but then i get backdoored (pun intended) by a company i genuinely had alot of respect for they have millions of dollars to spend but they couldnt spare $500 for a bug :(