The Subdomain They Forgot — How I Chained Bugs for a $1,000 Bounty

The internet never forgets, and neither should bug bounty hunters. As hackers, we live for those quiet moments when something seemingly insignificant — a leftover subdomain, a misconfigured API — turns into a jackpot of vulnerabilities.

That’s exactly what I found during a late-night recon session: an old subdomain, neglected and forgotten by its owners. To them, it was harmless. To me, it was a ticking time bomb.

What followed was a cascade of discoveries: hardcoded credentials, exposed APIs, writable S3 buckets, and an outdated CMS riddled with vulnerabilities. One bug led to another until I had chained together a critical exploit worth $1,000.

Here’s how I turned this forgotten relic into one of my most rewarding bug bounty reports yet.

The Needle in the Haystack

It all started with a recon sweep using Amass and Subfinder:

amass enum -d company.com

Most of the results were standard, modern subdomains. But one stood out:

beta.oldsite.company.com

It had all the hallmarks of an outdated system:

• No HTTPS — just plain HTTP.
• An old-school login page with slow response times.