One character. That's all it took to turn a routine test into a two-thousand-dollar finding.
In 2023, I was looking at a new bug bounty program. Fresh scope, unfamiliar codebase, the usual process of mapping out attack surface. I landed on one of the in-scope domains and noticed an ID parameter in the URL.
You know what comes next. Anyone who's done this work knows exactly what comes next.
I added a single quote to the parameter.
GET /product?id=123' HTTP/1.1
Host: target.example.comThe page threw an error. Not just any error, but a verbose SQL exception that included something I wasn't expecting: full database credentials. Username, password, host, database name. Everything you'd need to connect directly to the backend database.
System.Data.SqlClient.SqlException: Unclosed quotation mark after
the character string '123''.
at System.Data.SqlClient.SqlConnection.OnError(...)
Connection string: Server=[REDACTED];Database=[REDACTED];
User ID=[REDACTED];Password=[REDACTED];At that point, the finding split into two separate issues. The SQL injection itself was one vulnerability. The credential leak in the error output was another. Both were severe enough to warrant critical severity ratings.
I documented both, wrote up the reproduction steps, explained the impact and submitted the reports. The program triaged them quickly. Both came back as Critical with a severity score of 9.8. Each was rewarded with a thousand-dollar bounty.
This is not normal. This is not what most bug bounty work looks like. Most days don't end with critical findings and four-figure payouts. Most days are reconnaissance that goes nowhere, duplicates that arrive five minutes before yours and reports that get downgraded or disputed.
I write about cases like this because they're interesting. They're the moments that make the frustration worth it. But they're outliers.
For every finding like this one, there are blank weeks. There are programs that don't respond. There are vulnerabilities that turn out to be known issues or accepted risks. There are endless hours of testing that yield nothing at all.
The single quote technique itself is basic. It's one of the first things you learn when you start testing web applications. You try to break input validation. You look for places where user input isn't properly sanitized before hitting a database query. It's foundational.
What made this case different wasn't the technique. It was the error handling. Somewhere in the application stack, a developer decided that detailed error messages were more important than security. Maybe it was a debugging configuration that never got turned off. Maybe it was a framework default that nobody bothered to lock down. Whatever the reason, the result was a critical information disclosure on top of an already exploitable SQL injection.
The lesson here isn't that you should go around adding single quotes to every parameter you see. You already do that. Everyone does. The lesson is that error handling matters. Verbose error messages in production are a gift to attackers. They turn simple injection flaws into full credential compromises.
From a researcher's perspective, these findings are straightforward. You document the injection point, show the leaked data, explain the risk and move on. From a developer's perspective, they're embarrassing. Nobody wants to be the person who left database credentials exposed in error output.
That's the nature of this work. You find the gaps. You report them. Sometimes they're minor misconfigurations. Sometimes they're critical vulnerabilities that expose sensitive infrastructure. The difference often comes down to one small decision made months or years ago by someone who didn't think about the security implications.
Two thousand dollars for a single quote. It sounds good when you frame it that way. What it doesn't show is the hundreds of other tests that didn't work, the programs that didn't have anything interesting, the time spent learning the systems well enough to know where to look.
That's bug bounty. The highlights are great. The reality is a grind punctuated by occasional wins.
