Accidentally making $1000 for finding Security Bugs as a Back end Developer (not-afraid.medium.com)

A backend developer discovered significant security vulnerabilities while exploring the architecture of an AI friend chatbot platform. By analyzing the application’s endpoint and authentication mechanisms—using tools like Postman and custom scripts—they identified several serious issues, including publicly accessible database tables containing user messages, profiles, and uploaded images. The researcher highlighted an IDOR vulnerability allowing access to any user's data using only their UUID, alongside misconfigured API endpoints that posed severe risks if exploited. This incident underscores the critical need for robust security practices in AI/ML applications, especially those handling sensitive user data. The developer reported their findings to the platform’s founders, resulting in a $1,000 bounty for disclosing the vulnerabilities, despite many being aware of them prior. The situation serves as a cautionary tale for users about the importance of data privacy on new platforms, emphasizing that even seemingly innocuous services can harbor dangerous flaws if not properly secured. The developer’s experience is a reminder for the tech community to prioritize thorough security testing before deploying applications.