Skip to main content

Servers.guru Bug Bounty SCAM : Two Valid Reports, Zero Payment, Zero Accountability

This post documents my negative experience with the servers.guru vulnerability disclosure / bug bounty process. I am writing this publicly because private communication led nowhere, and I believe security researchers deserve honesty and transparency.

 

 



The Short Version

  • I submitted two legitimate security vulnerabilities

  • Both had real-world impact

  • Both were clearly explained with reproduction steps

  • No payment was made

  • No convincing technical justification was given

You can decide what that says about the program.

Vulnerability #1: OTP Reuse (Authentication Broken)

Category: Authentication / Logic Flaw
Severity: High

servers.guru implemented OTP in a way that defeats the entire purpose of OTP.

What Was Wrong

The same OTP could be reused multiple times instead of being invalidated after first use.

This is not a “best practice” issue.
This is OTP 101.

Why This Matters

  • OTPs are meant to be one-time

  • Reuse allows replay attacks

  • Any intercepted or logged OTP becomes reusable

  • This directly weakens account security

I provided:

  • Step-by-step reproduction

  • Clear explanation of impact

  • Proof that the OTP was reusable

Despite this, the issue was dismissed and unpaid.

Vulnerability #2: CSRF on Email Change (Account Takeover Vector)

Category: CSRF
Severity: High

The email change endpoint lacked proper CSRF protection.

What This Enables

If a logged-in user visits a malicious page, an attacker can:

  • Change the victim’s email address

  • Trigger password resets

  • Lock the victim out of their account

This is a classic account takeover scenario.

What I Provided

  • Proof-of-concept

  • Attack scenario

  • Clear explanation of impact

The response?
No reward. No meaningful explanation.

The Real Problem: Process & Accountability

Bug bounty programs live or die by trust.

In this case:

  • Reports were submitted responsibly

  • Vulnerabilities were real and reproducible

  • Communication lacked clarity

  • Rejections felt arbitrary and dismissive

When programs accept reports, fix issues, but refuse to compensate researchers without technical justification, it sends a clear mess

Your time and expertise are disposable.

Why This Feels Bad Faith

Let’s be blunt:

  • OTP reuse is not debatable

  • CSRF on email change is not theoretical

  • These are not “informational” issues

  • These are not “out of scope” tricks

If this is how valid reports are handled, calling it a “bug bounty program” is misleading.

Advice to Other Researchers

Based on my experience:

  • Do not assume good faith

  • Document everything

  • Be prepared for rejection regardless of validity

  • Decide carefully whether servers.guru is worth your time

Your effort may not be respected

Comments

Post a Comment

Popular posts from this blog

My Experience With PrivateAlps.net – Scammers

  A Warning After Racist Insults and Unprofessional Behavior  I’ve worked with many bug-bounty programs, but nothing prepared me for the absolute disrespect I faced with PrivateAlps.net .   Domain :   https://privatealps.net/ I’m writing this to share MY personal experience , exactly how things happened from my side , because no researcher should ever be treated like this.         What Happened I reported real vulnerabilities. I put in the time, the effort, and the skill. They paid me $210 for one of the reports — fine. But when it came to the larger report, worth far more than $1,000 by standard industry value, everything went downhill. And then comes the part that still disgusts me: In my experience, their communication included racist insults. According to what I personally received from them, I was told things along the lines of: “Go f*** yourself, you Indian.”       This is not just unprofessional —   it’...
Post a Comment
Read more

New Scam YourCryptoPal : My Experience Reporting a Security Vulnerability to YourCryptoPal

  As someone deeply invested in cybersecurity, I recently discovered a serious security vulnerability in YourCryptoPal, a platform that claims to prioritize user safety. Following responsible disclosure practices, I reported the issue to them, expecting a professional response and acknowledgment.     Dismissal and Accusation – Instead of thanking me for responsibly reporting a potential threat, the team at YourCryptoPal accused me of being a scammer . This was not only unprofessional but deeply insulting. Failure to Compensate – Many platforms offer bug bounties or rewards to incentivize responsible disclosure. Despite my clear report and evidence, they did not pay the promised reward . Lack of Accountability – I reached out multiple times, seeking clarification and resolution, but received no constructive response . Why Responsible Disclosure Matters Reporting security vulnerabilities is critical for the safety of all users. When platforms ignore, insult...
Post a Comment
Read more