The Account Was Eventually Deactivated.
Over the following weeks, I started receiving multiple payment reminder emails from the service.
The emails ranged from payment notifications to overdue invoice reminders and eventually account-blocking notices.
Press enter or click to view image in full size
At first, I ignored them because I had already contacted both the company and my bank regarding the charge.
Then one day, I logged back into the account and noticed a message stating that the account had been temporarily deactivated due to unpaid invoices.
Shortly afterward, the service access was effectively disabled and the subscription was no longer active.
Press enter or click to view image in full size
At that point, it became clear that the account would not remain active indefinitely.
The Unexpected Refund.
The most surprising part came later.
A few days after the account was deactivated, the money that had been debited from my account was returned.
Since the day I noticed the original charge, I had immediately contacted my bank, cancelled the card, and requested a dispute/chargeback investigation.
Because of that, I believe the refund was most likely the result of the bank’s dispute process rather than a direct refund from the company.
I cannot say that with complete certainty, but the timing strongly suggests it.
Either way, seeing that notification was a huge relief.
Press enter or click to view image in full size
Looking Back.
When the entire situation started, I honestly thought the money was gone for good.
Get kjulius’s stories in your inbox
Join Medium for free to get updates from this writer.
Instead, several things happened:
- The account was eventually deactivated.
- The subscription was cancelled.
- The disputed funds were returned.
- The cache poisoning bug I discovered turned out to be a duplicate.
Not exactly the ending I expected.
I didn’t receive a bounty.
I didn’t keep the subscription.
And I didn’t get a unique vulnerability report accepted.
But I did get my money back.
And sometimes that’s a win on its own.
Final Thoughts.
One thing bug bounty hunting teaches you very quickly is that not every story ends with a payout.
Sometimes you find a valid bug and lose the race.
Sometimes you spend weeks investigating something that goes nowhere.
And sometimes life throws unexpected distractions right in the middle of a hunt.
What matters is continuing to learn and continuing to improve.
The duplicate report was disappointing.
The $500 charge was frustrating.
But the experience itself was valuable.
The hunt continues.
And as I’ve learned many times before:
As long as software continues to evolve, there will always be vulnerabilities waiting to be discovered.
Never give up, till we meet again… 🙏