FWIW, we've had a lot of fun doing web inventory mapping via OWASP OMASS (https://github.com/OWASP/Amass): enumerate via amass -> dump into neo4j or just csv/json -> explore with jupyter/graphistry.
A lot of bug bounties have been getting paid out this way. I can't share the details, but we did it as a graph analytics demo with a financial partner bigger than many countries, and 30min later, tickets filed. IMO every sec team > 5 people should have something like this setup.
That bounty is an order of magnitude smaller than it should've been. It's an account takeover defect that most anyone could fall for because of the structure of the payload URL.
Being awarded a bug bounty suggests that there was a bug that was fixed. But this was actually a misconfiguration, wasn't it? Any Azure account with a dangling subdomain and unrestricted reply-to is still vulnerable to this attack, correct?
It is kind funny (or click-baitish) articles with "one click" seems. From a developer point of view, pretty much anything can be done with just one click.
stupid user action is needed, so it's not a critical bug.
Does the $3000 (USD?) bounty seem low to anyone else? Prior to reading the timeline section at the bottom of the post I would have guessed a range of 25k to 50k as a bounty for such a severe vulnerability.