Unleashing the Full Potential of Bug Bounty Programs with BeVigil: Streamlining the Workflow of Security Researchers

mins read time
BeVigil can significantly simplify and enhance the workflow of bug bounty researchers. With BeVigil's innovative approach, researchers can leverage a straightforward workflow that requires fewer steps to identify vulnerabilities and earn bounties.
Bablu Kumar
Published on
Blog Image

The aim of this blog is to provide the following:

  •  An in-depth exploration of how BeVigil, the world's first security search engine for mobile apps, can significantly simplify and enhance the workflow of Bug Bounty Hunters, Android app security researchers, and OSINT enthusiasts.
  • With BeVigil, security researchers can leverage the extensive indexing of millions of Android apps, enabling them to rapidly and efficiently identify security vulnerabilities, secrets, exposed APIs, and much more, gaining visibility over a huge but vastly un-explored attack surface. 
  • Functionality-rich BeVigil OSINT API and CLI streamlines the security vulnerability identification process and provides a reliable, efficient, and comprehensive platform for security researchers to automate, enrich and optimize their workflows. This can help researchers make more informed decisions than blindly running automated tools to find vulnerabilities.

General Workflow of Bug Bounty Researchers

To better understand the process of a bug bounty researcher, let us take a moment to explore the general workflow. 

General workflow for a bug bounty researcher

While this process may suit some researchers, it can be inefficient and time-consuming. This approach requires extensive training to identify even basic vulnerabilities and often fails to uncover high-impact bugs that could potentially yield significant bounties. As such, a more streamlined and efficient workflow is necessary to maximize the potential rewards of bug bounty programs.

BeVigil’s Simplified Approach for Bug Bounty Researchers

Now, let us take a closer look at how BeVigil can significantly simplify and enhance the workflow of bug bounty researchers. With BeVigil's innovative approach, researchers can leverage a straightforward workflow that requires fewer steps to identify vulnerabilities and earn bounties.

Simplified workflow using BeVigil

Some of the features that BeVigil offers and the benefits it can provide for researchers:

  • With BeVigil, researchers can easily search through millions of indexed apps or scan apps instantly using a Play Store link. Researchers can even upload an app manually for analysis.
  • BeVigil provides instant app score checks, allowing researchers to quickly assess the security of an app and identify potential vulnerabilities.
  • Researchers can leverage BeVigil's advanced capabilities to identify security vulnerabilities and 250+ exposed API secrets in apps.
  • BeVigil also offers the ability to generate detailed security reports with comprehensive insights into the security posture of an app.

Step-by-Step Guide to Detecting Bugs with BeVigil

Step 1. Let's work through one of the leading bug bounty platforms known as HackerOne but the overall process would remain the same. There are several companies with Android apps listed on HackerOne. As you can see when we selected the options Android: Playstore or Android:.apk, numerous applications from different companies appear on the search list. We choose “Urban” as an example.

Urban company’s Android app listed on HackerOne

Step 2. Next, go on to BeVigil and search for apps you want to research. For example, we looked for “Urban Company” as it has an active bug bounty program we saw above.

Step 3. On this page, you can find the overall security score that would highlight how vulnerable the app could be, a list of exposed secret keys, and a few other different sections for different issue types on the left of the page. As a security researcher, you may be more interested in looking into the “Vulnerabilities”, “Strings” and Assets” sections as they often have juicy information.

  • The Vulnerabilities section in BeVigil provides a comprehensive overview of the different types of vulnerabilities detected. As a researcher, you can easily explore each vulnerability in-depth and determine its potential impacts.

  • The Strings section in BeVigil provides a list of all the interesting secrets, API keys such as (AWS secrets, Shopify keys, GitHub keys, Facebook keys, etc.) and tokens such as JWT, etc. After collecting those secrets, you can find security impacts.

  • The Assets section shows exposed IP addresses, file paths, hostnames, and other interesting endpoint details.
Different sections showing different issue types on the app

Step 4. After discovering an issue, we should try chaining them to find more impactful ones and report them to the right organizations. For instance, if we come across a Firebase URL, we should dig deeper to determine whether it is accessible for reading or writing. Moreover, we should examine whether it is revealing confidential data such as client or payment details. By taking this comprehensive approach, we can create a more impactful report and potentially earn a higher bounty for our efforts.

Investigating Firebase URL for sensitive information

Different Approaches for Bug Bounty Researchers

1. Using Firebase URL to Uncover PII: Firebase is a set of hosting services for any type of application. It offers NoSQL and real-time hosting of databases. By appending /.json to the Firebase URL, you can effortlessly determine whether the Firebase database is vulnerable to read/write operations or both.

According to our recent research, BeVigil has identified over 20,000 Firebase URLs with read access to the Firebase database most of which contained sensitive information.

Exposed Firebase URL identified by BeVigil

Leaked sensitive information

2. Shopify API Key Leak: Shopify, an e-commerce platform for online stores, provides several types of tokens that can be used for development. In our latest report, 21 apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing the personally identifiable information (PII) of 4 million users/customers to potential threats.

In this example, BeVigil identified a well-known Indian e-commerce brand exposing Shopify keys with sensitive permissions. 

Access scopes retrieved based on the access token

The e-commerce store revealed personally identifiable information (PII) such as the name, email, domain, address, and phone of more than 1 million customers.

Sensitive Shopify admin details

Read more about this issue in this report: https://bevigil.com/blog/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens/ 

3. Amazon S3 URLs: Amazon S3 is an object storage service that stores data as objects within buckets. However, during a recent research study, one of our researchers discovered that a particular Amazon S3 URL was hardcoded in the source code of a mobile app. As a result, this URL was easily readable, leading to the exposure of sensitive customer data.

AWS URL exposed inside the application

Files & directories listing of a misconfigured Amazon S3 bucket

Read more about this issue in this report:: Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data 

4. Heroku App URL: Using BeVigil, our researchers found Heroku App URLs in the source code of mobile applications which could lead to subdomain takeover.


It appears that the domain is no longer operational, so it is now available for anyone to take over. In fact, our researchers were able to successfully take over the subdomain in question.

5. GitHub Personal Access Token: A GitHub Personal Access Token (PAT) is a type of authentication token that allows users to access their GitHub account and perform various actions programmatically via the GitHub API. Software developers hardcode GitHub Personal Access Tokens that could potentially expose private repositories on GitHub.

Our researchers were able to check the token’s scopes which led us to believe anyone with access to the PAT can access any private repository within the organization.

Access to private repos using PAT

Permissions indicate different types of access provided to the PAT

Read more about this issue in this report:: Hardcoded GitHub Personal Access Tokens Leak 159 Private Repositories

6. Twitter API Keys: Using BeVigil, our researchers discovered that some mobile applications' source code contained hardcoded Twitter API keys. This potentially led to a Twitter account takeover, as these API keys can be exploited to gain unauthorized access to a user's Twitter account.

Exposure to the Twitter API keys led to Twitter account takeover

Compromised account used to make tweets, retweets, and follow other accounts

Read more about this issue in this report: https://cloudsek.com/whitepapers-reports/how-leaked-twitter-api-keys-can-be-used-to-build-a-bot-army

7. AWS Access Key and Secret Key: AWS Access Key and Secret Key are critical components of an organization's infrastructure. Anyone who gains access to these keys can potentially gain access to the entire company's infrastructure.

During our investigation on BeVigil, we discovered that these AWS keys had access to multiple AWS services, including ACM (Certificate Manager), ElasticBeanstalk, Kinesis, OpsWorks, and S3. Our focus was on S3, and upon further analysis, we found that the AWS credentials had read/write access to a total of 88 S3 buckets.

The implications of this exposure were significant, as these 88 buckets contained a staggering 10,073,444 files, amounting to a total of 5.5 Terabytes of data being exposed.

Amazon S3 bucket exposure leaking sensitive information

These S3 buckets were initially deployed to host various files and data generated from projects. Upon further investigation, our team discovered that these buckets contained a wide range of sensitive data, including application source code, backup files, user reports, test artifacts, user uploads, logs, WordPress backups, user certificates, config files, credential files, and more.

The exposure of such data can have serious implications, as it can provide attackers with access to additional credentials such as database hostnames, passwords, and tokens, allowing them to potentially branch out into the running infrastructure and carry out further attacks.

The researchers were further able to access the database using the plain text password mentioned in the database configuration file.

Sensitive data uncovered on database

Read more about this issue in this report: Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data 

8. Slack Webhook: Bug bounty hunters can look for Slack webhooks which can make any threat actor send malicious messages to discovered hooks, create a slack app, and allow public installation of the app.

Commands showing how threat actors can exploit it to send Sack messages using webhook

9. Discovering Hardcoded Algolia API Key: Algolia’s API enables developers to implement search, discovery, and recommendations within websites, mobile, and voice applications. Misuse of the keys can result in reading and modifying user’s personal information, accessing IP addresses and other sensitive details. It is used by over 11,000 companies. CloudSEK researchers discovered 32 out of 1550 applications that had a total of 57 unique API keys.

The search-only key is usable for search queries and sending data to the Insights API

Valid Response From Server

Read more about this issue in this report: Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users’ Data

10. Hardcoded Email Service: In another recent report, our researchers discovered that 50% of the analyzed (600) apps, leaked API keys of three popular transactional and marketing email service providers - Mailgun, MailChimp, and Sendgrid. They could read, send & delete emails, get IP addresses, etc.

Screenshot of the email received from the MailGun API key

Read more about this issue in this report: https://cloudsek.com/whitepapers-reports/hardcoded-api-keys-of-email-marketing-services-puts-54m-mobile-app-users-at-risk

Step-by-Step Guide to BeVigil OSINT API

As mentioned in the introduction, BeVigil offers a comprehensive BeVigil OSINT tool for CLI, equipped with advanced features that simplify the process of identifying security vulnerabilities. This functionality-rich platform empowers users to automate and optimize their workflows, making vulnerability identification more efficient and effective. A free account gives you 50 credits to try the product without spending a dime.

List of commands that you can perform using CLI.




Request hosts present in an android package


Request packages associated with a domain/subdomain


Request params associated with an android package


Request S3 buckets associated with a package or a keyword


Request subdomains associated with a domain


Request URLs associated with a domain


Request a wordlist for a package

To get started, all you need to do is install the Python library from our GitHub repository and activate it by using the API Key found on your BeVigil account. It's a quick and easy process that will allow you to begin utilizing the full range of features offered by BeVigil.

Easy installation guide for BeVigil CLI


S3 Buckets 

To start, let’s query for S3 buckets using the Ubran company package name. The package name can be gathered from BeVigil or Play Store. 

List of S3 buckets associated with the android package

Now as a researcher, you just need to find misconfigured S3 buckets and gather what’s available on the buckets. You might look for sensitive information such as customer or client PII or payment details.

Host List

To request all the hostnames extracted from an android package, you can use the following command:

Hostnames extracted from the android package

Once you have a list of hosts, you can start exploring internal domains or APIs to identify potential vulnerabilities. By chaining together multiple vulnerabilities, you can maximize the impact of your findings and better protect your system.


Now you can integrate BeVigil’s OSINT API into your application by following our easy-to-set-up guide. You can further explore the BeVigil API at https://osint.bevigil.com/.



In this blog post, we explored how BeVigil can significantly enhance the capabilities of security researchers, allowing them to identify potential vulnerabilities and improve the overall security of mobile applications. With the vast array of features available in BeVigil, researchers have limitless opportunities to improve their research and uncover critical security issues.


Related Posts

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Mobile App Security: The Ultimate Guide to Building Safer Mobile Apps with BeVigil Jenkins Extension

Learn how to improve the security of your mobile apps using BeVigil Jenkins Extension. This comprehensive guide will help you create secure mobile apps that protect user data and prevent unauthorized access. Discover how to use Jenkins integration to automate security testing and ensure your app is secure before release.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.