First bounty: broken link hijacking

I picked my target and started looking around. I found a web page that was not up-to-date anymore and it contained a link to a non-existing Instagram account. I quickly created the account and submitted my report. I started searching to see if this link occurred on more web pages. I found out that their Flemish emails also contained the link.

When I finally got an update on my submission, I was disappointed. They marked it as a duplicate. I didn’t understand it because the account was owned by me. How is it possible to be a duplicate? I asked customer support how this could be a duplicate and they told me that the first report indeed was about the URL on the page I found. I asked them about the link in the email but they didn’t reply. So I decided to submit it again, this time only mentioning the email in my report. Two weeks later I got my first bounty!

Takeaways:

• If you found a broken URL, look if it is also displayed on other web pages / apps, emails or social media accounts.
• Submit one report per bug.
• If you found more places where the bug appears, don’t put it in the comments. Create a new report for it, because it will get marked as a duplicate if the bug in the report is submitted before. They do not take the comments in to account.