My First High-Severity Bug: Chaining Open Redirect and DOM XSS into Account Takeover
This was my first ever valid bug bounty report through a VDP, and it got marked High severity. It was also not a duplicate, so for me this was a huge win.
One thing I had heard a lot in bug bounty is
blog.ovawatch.co.za2 min read
Archit Mittal
I Automate Chaos — AI workflows, n8n, Claude, and open-source automation for businesses. Turning repetitive work into one-click systems.
Chaining open redirect with DOM XSS is such a classic yet powerful attack vector. What makes this especially interesting is how the open redirect — often dismissed as low severity — became the entry point for a full account takeover. This is a great reminder that vulnerability chaining is where the real impact lies. Did the VDP have any specific scope limitations on redirect-based findings, or was the XSS chain what elevated it to high severity?