u/lostboy_31

Recently reported an auth-related vulnerability to an Indian e-commerce company while casually browsing their site. The issue was pretty straightforward; ability to trigger account lockouts without auth that can be abused at scale during sales/events affecting each and every user of that site.

To their credit, the team acknowledged the report & fixed it and even sent over a small ₹2k voucher despite not having any public vdp. So this isn’t meant as a rant against them specifically.

But the whole experience genuinely got me thinking about how security research is still viewed by a lot of Indian companies. A lot of reports still get treated more like customer support tickets or they most of them dont even reply unless escalated with certin. And while I’m not expecting huge payouts from companies without formal programs, vulnerabilities affecting authentication and user access can absolutely have real business impact if abused.

Even rewards like this feels bad for a vulnerability of that scale. I honestly feel we’re just a few major breaches away from mass vdp & bug bounty adoption in India.

Curious if others here have had similar experiences

Hi everyone, rn i'm working as VAPT engineer in a service based firm and this is my second employer, before that I have worked as Security analyst. I have entry level certs like CEH, ejpt, crta, aws cloud practitioner and currently preparing for BSCP. I'm looking for a change for past few months as my current pay is too low for a 2 yoe guy in cybersecurity. As of now i have landed around 4-5 interviewers and things were gone well for me but didn't received any offer letter yet. As of now I dont have any budget for OSCP. I'm not doing that well in bug bounty only landed p3 & p4 and few duplicates. also i'm a bca guy as most of roles have min eligibility of btech. What should i do now? Should i apply for a online mca or get all in for oscp??

I feel like I’m in that mid-zone I have experience, but not enough to stand out for higher-paying positions. I'm targeting a remote or product based role, would really appreciate practical advice from people who’ve made a successful switch.