How I Found a Hardcoded RSA Private Key in a Major Crypto Exchange’s Frontend -And What I Learned the Hard Way

A bug bounty researcher shares a detailed postmortem of finding a hardcoded RSA private key in a major crypto exchange's frontend JavaScript bundle. After validating the key with OpenSSL and successfully forging JWT tokens, the researcher submitted a report — only to have it rejected. The key turned out to be used only for logging, not authentication, and the researcher had guessed non-existent API endpoints rather than capturing real traffic. The writeup breaks down four key mistakes: guessing endpoints instead of discovering them via traffic interception, misreading HTTP 200 responses with error bodies as token acceptance, reporting theoretical impact without demonstrated proof, and over-engineering the report. Practical lessons include always capturing real API traffic before testing, proving impact with screenshots before reporting, and keeping reports concise.