My First P1 on VDP program — Subdomain Takeover That Hit Critical
Hello everyone!
My name is Oussama (Ousski). I’m a part-time bug hunter and penetration tester with a strong passion for ethical hacking. I spend most of my time learning about new technologies and constantly working to improve my skills and experience in the cybersecurity field.
The Whole proccess :
Find the Program
While exploring different VDP (Vulnerability Disclosure Program) targets, I decided to try my luck using some Google dorks.
I came across a target — let’s refer to it as redacted.com After checking their VDP policy, I found that they accept vulnerability reports through the Swiss Bug Bounty platform. Interestingly, the program belongs to a well-known newspaper in Switzerland.
I started the reconnaissance process by collecting subdomains of redacted.com. After gathering a list, I checked which subdomains were alive and responding with HTTP status code 200. These were saved to a file named alive-subdomain.txt for further analysis.(I’ll be sharing my full recon methodology soon, so stay tuned!).
Finding the Bug:
As always, the first thing I do is look for low-hanging fruit. I start by checking for any known CVEs using automated tools, and then run a subdomain takeover scanner against the alive-subdomain.txt file I generated earlier.
These tools help quickly identify potential misconfigurations or unclaimed services that could lead to takeover opportunities. Once the scans finished, one result immediately caught my eye... .
The subdomain static.redacted.com is configured via a DNS CNAME record to point to an AWS S3 bucket that no longer exists.
This misconfiguration introduces a subdomain takeover vulnerability, allowing an attacker to potentially claim the missing bucket and serve arbitrary content under the trusted domain.
Immediately, I created the AWS bucket using the subdomain, and yes — I successfully claimed the domain for myself.
After a few days, the team reviewed my report and the PoC. They assigned the severity as High, with a CVSS score of 8.1.
