This post documents my negative experience with the servers.guru vulnerability disclosure / bug bounty process. I am writing this publicly because private communication led nowhere, and I believe security researchers deserve honesty and transparency. The Short Version I submitted two legitimate security vulnerabilities Both had real-world impact Both were clearly explained with reproduction steps No payment was made No convincing technical justification was given You can decide what that says about the program. Vulnerability #1: OTP Reuse (Authentication Broken) Category: Authentication / Logic Flaw Severity: High servers.guru implemented OTP in a way that defeats the entire purpose of OTP . What Was Wrong The same OTP could be reused multiple times instead of being invalidated after first use. This is not a “best practice” issue. This is OTP 101 . Why This Matters OTPs are meant to be one-time Reuse allows replay attacks Any intercepte...
As someone deeply invested in cybersecurity, I recently discovered a serious security vulnerability in YourCryptoPal, a platform that claims to prioritize user safety. Following responsible disclosure practices, I reported the issue to them, expecting a professional response and acknowledgment. Dismissal and Accusation – Instead of thanking me for responsibly reporting a potential threat, the team at YourCryptoPal accused me of being a scammer . This was not only unprofessional but deeply insulting. Failure to Compensate – Many platforms offer bug bounties or rewards to incentivize responsible disclosure. Despite my clear report and evidence, they did not pay the promised reward . Lack of Accountability – I reached out multiple times, seeking clarification and resolution, but received no constructive response . Why Responsible Disclosure Matters Reporting security vulnerabilities is critical for the safety of all users. When platforms ignore, insult...