A bug bounty hunter discovered a P2 Denial of Service vulnerability in a managed cloud database platform by exploiting an unbounded custom Lua function via the EVAL command. A single authenticated request generating a 1-billion-character string caused a 1GB network spike and a full process crash. The report was initially marked 'Not Applicable' because the flaw existed in an upstream open-source project. By appealing with evidence of real-world material impact and citing the program's own policy language, the researcher successfully got the status changed to 'Informational' and earned reputation points. Key takeaways include testing custom database functions, reading program policies carefully, and escalating upstream bugs directly to open-source maintainers.
Table of contents
The Target and The ReconThe Vulnerability: Uncontrolled Resource ConsumptionThe Exploit (Proof of Concept)The Plot Twist: “Not Applicable”Get Hacker MD ’s stories in your inboxThe Appeal: Knowing the Rules of the GameThe VictoryTakeaways for Fellow HuntersSort: