Can you find exposed secrets in bug bounty programs?

Yes. Exposed API keys, hardcoded credentials, and misconfigured secrets managers are among the most commonly reported and highest-paying bug bounty findings. Programs routinely pay critical-severity bounties for leaked cloud credentials that grant access to production infrastructure.

What tools do you need for cloud secrets testing in bug bounty?

Key tools include trufflehog and gitleaks for scanning repositories, nuclei with secrets-detection templates, httpx for probing exposed vault endpoints, cloud-specific CLIs (aws, az, gcloud) for validating discovered credentials, and custom scripts for scanning JavaScript bundles and API responses for leaked keys.

What is the most common secrets vulnerability in bug bounty?

Hardcoded API keys in public GitHub repositories and exposed in client-side JavaScript bundles are the most commonly reported secrets vulnerabilities. AWS access keys, Stripe API keys, and Firebase credentials are found most frequently because developers accidentally commit them or embed them in frontend code.

How do you validate found credentials without causing damage?

Use read-only validation methods: for AWS keys run aws sts get-caller-identity, for GCP service accounts use gcloud auth print-access-token, for API keys make a minimal GET request to a non-destructive endpoint. Never modify data, create resources, or access customer information. Document the validation method in your report.

Are secrets found in public repositories in scope for bug bounty?

It depends on the program. Many programs explicitly include leaked credentials in public repos as in-scope findings. Check the program policy — some require the secret to be currently valid and grant meaningful access. Always verify the repository belongs to the target organization before reporting.

Cloud Secrets Management Testing for Bug Bounty in 2026: How to Find Exposed Credentials, API Keys, and Misconfigured Vaults in Real Targets

Key Takeaways

Exposed cloud secrets are consistently among the highest-paying bug bounty findings — a single leaked AWS root key can earn $10,000+ bounties
Secrets leak through predictable channels: Git history, client-side JavaScript, environment files, error messages, and misconfigured vault endpoints
Automated scanning with trufflehog and gitleaks catches low-hanging fruit, but manual analysis of JavaScript bundles and API responses finds what scanners miss
Always validate credentials using read-only methods — never modify data or access customer information
Cloud-specific misconfigurations (overly permissive IAM roles, unencrypted secrets, missing rotation policies) are valid findings even when individual secrets aren't exposed

Why Cloud Secrets Management Testing Matters for Bug Bounty

Every cloud application depends on secrets — API keys, database passwords, service account credentials, encryption keys, OAuth tokens. When these secrets leak or their management infrastructure is misconfigured, attackers gain direct access to production systems without needing to exploit any application vulnerability.

In 2026, secrets exposure remains one of the most impactful vulnerability classes in bug bounty. The reason is simple: a single leaked credential often provides more access than any SQL injection or XSS chain. Programs know this, which is why exposed production credentials routinely earn critical-severity bounties.

This guide covers the complete methodology for finding secrets management vulnerabilities in bug bounty targets — from automated scanning to manual analysis of vault misconfigurations.

Understanding the Secrets Attack Surface

Before hunting for secrets, you need to understand where they live and how they leak. The attack surface breaks down into three categories:

1. Secrets in Code and Artifacts

The most common exposure vector. Secrets end up in:

Git repositories — committed directly in source code, configuration files, or .env files. Even if removed in later commits, they persist in Git history
Client-side JavaScript — API keys, Firebase configs, and service credentials embedded in frontend bundles
Docker images — secrets baked into image layers during build, visible via docker history or layer extraction
CI/CD artifacts — build logs, deployment scripts, and pipeline configurations that reference or print secrets
Mobile app binaries — API keys and backend credentials embedded in APK/IPA files

2. Secrets Management Infrastructure

Organizations use dedicated tools to manage secrets, and these tools themselves become targets:

HashiCorp Vault — exposed UI/API endpoints, misconfigured auth methods, overly permissive policies
AWS Secrets Manager / Parameter Store — IAM misconfigurations allowing unauthorized access
Azure Key Vault — misconfigured access policies, exposed management endpoints
GCP Secret Manager — overly permissive IAM bindings on secret resources
Kubernetes Secrets — base64-encoded (not encrypted) secrets accessible via misconfigured RBAC

3. Secrets in Transit

Secrets leak during runtime through:

Error messages — stack traces that include connection strings or API keys
API responses — endpoints that return configuration data including secrets
Logs — application logs exposed via misconfigured log aggregation endpoints
Environment variable dumps — debug endpoints like /env, /debug/vars, /actuator/env

Phase 1: Automated Secrets Scanning

Start every engagement with automated scanning to catch the obvious leaks. This is your baseline — it finds the low-hanging fruit that many programs still haven't addressed.

GitHub Repository Scanning

If the target has public repositories, scan them immediately:

# TruffleHog — scans entire Git history for high-entropy strings and known patterns
trufflehog github --org=target-org --only-verified

# Gitleaks — fast pattern-based scanning
gitleaks detect --source=https://github.com/target-org/repo --verbose

# Search for specific file patterns that commonly contain secrets
# .env files, config files, key files
github-dorking: "org:target-org filename:.env"
github-dorking: "org:target-org filename:credentials"
github-dorking: "org:target-org filename:secret"
github-dorking: "org:target-org extension:pem"
github-dorking: "org:target-org extension:key"

TruffleHog's --only-verified flag is critical — it actually tests discovered credentials against their respective APIs, so you only get results that are currently valid. This saves hours of manual validation.

JavaScript Bundle Analysis

Modern web applications bundle secrets into client-side JavaScript more often than you'd expect:

# Download and extract JavaScript bundles
wget -r -l 1 -A "*.js" https://target.com/

# Search for common secret patterns
grep -rn "AKIA[0-9A-Z]{16}" *.js          # AWS Access Key IDs
grep -rn "sk_live_[a-zA-Z0-9]{24}" *.js    # Stripe Live Secret Keys
grep -rn "AIza[0-9A-Za-z_-]{35}" *.js      # Google API Keys
grep -rn "ghp_[a-zA-Z0-9]{36}" *.js        # GitHub Personal Access Tokens
grep -rn "xox[bpsa]-[a-zA-Z0-9-]+" *.js    # Slack Tokens

# Use nuclei for structured scanning
nuclei -u https://target.com -t exposures/tokens/

Cloud-Specific Scanning

If you discover cloud credentials during recon, validate them safely:

# AWS — validate without making changes
aws sts get-caller-identity  # Shows account ID, user/role ARN
aws iam list-attached-user-policies --user-name $(aws iam get-user --query 'User.UserName' --output text)

# GCP — validate service account
gcloud auth activate-service-account --key-file=found-key.json
gcloud projects list  # Shows accessible projects

# Azure — validate service principal
az login --service-principal -u $APP_ID -p $SECRET --tenant $TENANT_ID
az account list  # Shows accessible subscriptions

Phase 2: Manual Secrets Discovery

Automated tools catch known patterns, but many secrets don't match standard regex patterns. Manual analysis finds what scanners miss.

Environment and Debug Endpoints

Probe for endpoints that dump configuration data:

# Spring Boot Actuator (Java applications)
/actuator/env
/actuator/configprops
/actuator/heapdump    # Memory dump — may contain secrets

# Django/Flask debug mode
/debug/
/__debug__/

# Node.js/Express
/env
/debug/vars

# PHP
/phpinfo.php          # Shows environment variables
/.env                 # Laravel/Symfony environment file

# Generic
/server-info
/server-status
/config
/configuration

Spring Boot Actuator's /actuator/env endpoint is particularly valuable — even when it masks secret values with asterisks, the key names reveal what secrets exist, and the /actuator/heapdump endpoint often contains the actual values in memory.

Error-Based Secret Extraction

Trigger errors that may reveal secrets in stack traces:

Send malformed input to database-connected endpoints — connection strings often appear in error messages
Request non-existent resources on APIs that return verbose errors
Send oversized payloads to trigger memory-related errors
Use invalid authentication tokens to trigger auth-related error messages that may reveal the expected format or backend service

API Response Analysis

Some APIs return more data than intended:

# Check user profile endpoints for leaked tokens
GET /api/v1/me
GET /api/v1/user/profile
GET /api/v1/account/settings

# Check configuration endpoints
GET /api/v1/config
GET /api/v1/settings
GET /api/v1/app/config

# Check admin endpoints (even without admin access — some leak data in 403 responses)
GET /api/v1/admin/config
GET /api/v1/internal/config

Phase 3: Secrets Management Infrastructure Testing

When targets use dedicated secrets management tools, test the infrastructure itself.

HashiCorp Vault

Vault is the most common secrets manager in production environments. Look for:

# Discover Vault endpoints
# Default ports: 8200 (HTTP), 8201 (cluster)
nmap -p 8200,8201 target.com

# Check if Vault UI is exposed
curl -s https://target.com:8200/ui/ | grep -i vault

# Check Vault health (unauthenticated)
curl -s https://target.com:8200/v1/sys/health

# Check seal status
curl -s https://target.com:8200/v1/sys/seal-status

# Test for unauthenticated access to secret paths
curl -s https://target.com:8200/v1/secret/data/test
curl -s https://target.com:8200/v1/kv/data/test

# Check if token auth allows listing
curl -s -H "X-Vault-Token: root" https://target.com:8200/v1/sys/mounts

Common Vault misconfigurations:

Development mode in production — Vault started with -dev flag, uses root token "root", stores data in memory
Overly permissive policies — policies granting path "*" { capabilities = ["read", "list"] }
Exposed UI without authentication — Vault UI accessible without login
Unsealed with default configuration — single unseal key, no auto-unseal with KMS

AWS Secrets Manager and Parameter Store

If you have any level of AWS access (even read-only), check for secrets access:

# List secrets you can access
aws secretsmanager list-secrets
aws ssm describe-parameters

# Attempt to read secret values
aws secretsmanager get-secret-value --secret-id production/database
aws ssm get-parameter --name /production/db-password --with-decryption

# Check for unencrypted SSM parameters (SecureString vs String)
aws ssm describe-parameters --query "Parameters[?Type=='String']"

Key findings to report:

Secrets stored as plaintext SSM String parameters instead of SecureString
IAM roles with secretsmanager:GetSecretValue on * resources
Missing resource-based policies on secrets
Secrets without automatic rotation configured
Cross-account access to secrets without explicit policy

Azure Key Vault

# List accessible Key Vaults
az keyvault list

# Attempt to list secrets in a vault
az keyvault secret list --vault-name target-vault

# Check access policies
az keyvault show --name target-vault --query "properties.accessPolicies"

# Look for soft-deleted secrets (recoverable)
az keyvault secret list-deleted --vault-name target-vault

Kubernetes Secrets

If you have any Kubernetes access, secrets are a prime target:

# List secrets in all namespaces
kubectl get secrets --all-namespaces

# Read a specific secret (base64-encoded, not encrypted)
kubectl get secret db-credentials -o jsonpath='{.data}' | base64 -d

# Check RBAC — can your service account read secrets?
kubectl auth can-i get secrets --all-namespaces

# Look for secrets mounted as environment variables in pods
kubectl get pods -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.containers[*]}{.env[*]}{"\n"}{end}{end}'

Phase 4: Git History Deep Dive

Secrets removed from the current codebase often persist in Git history. This is one of the most productive manual techniques.

# Search entire Git history for secrets
git log -p --all -S 'AKIA'           # AWS keys
git log -p --all -S 'password'       # Passwords
git log -p --all -S 'secret_key'     # Generic secrets
git log -p --all -S 'BEGIN RSA'      # Private keys

# Find deleted files that may have contained secrets
git log --diff-filter=D --summary | grep -E '\.(env|key|pem|p12|pfx|json)$'

# Check specific commits where .gitignore was modified
# (developers often add .env to .gitignore AFTER committing it)
git log -p -- .gitignore

# Extract a deleted file from history
git show <commit-hash>:path/to/.env

Phase 5: Reporting Secrets Findings

Secrets findings require careful reporting to demonstrate impact without causing harm.

Report Structure

What was found — type of secret (AWS key, database password, API token), where it was found (Git commit, JS bundle, API response)
Validation method — exactly how you confirmed the secret is valid, using only read-only operations
Access scope — what the secret grants access to (list IAM permissions, accessible resources, data exposure)
Impact — what an attacker could do with this access (data exfiltration, infrastructure compromise, lateral movement)
Remediation — rotate the secret immediately, remove from source code, implement proper secrets management

Severity Guidelines

Critical — production database credentials, cloud admin keys, secrets manager root tokens
High — API keys with write access, service account credentials, OAuth client secrets
Medium — read-only API keys, expired but recently valid credentials, internal service tokens
Low — test/development credentials, API keys for non-sensitive services, secrets management misconfigurations without direct exposure

Common Secrets Patterns by Cloud Provider

Provider	Secret Type	Pattern / Identifier
AWS	Access Key ID	`AKIA[0-9A-Z]{16}`
AWS	Secret Access Key	40-character base64 string
GCP	Service Account Key	JSON file with `type: "service_account"`
GCP	API Key	`AIza[0-9A-Za-z_-]{35}`
Azure	Storage Account Key	88-character base64 string
Azure	Connection String	`DefaultEndpointsProtocol=https;AccountName=...`
Stripe	Live Secret Key	`sk_live_[a-zA-Z0-9]{24,}`
GitHub	Personal Access Token	`ghp_[a-zA-Z0-9]{36}`
Slack	Bot/User Token	`xox[bpsa]-[a-zA-Z0-9-]+`
Firebase	Config	`apiKey` in `firebaseConfig` object

Tools Reference

Tool	Purpose	Best For
TruffleHog	Git history + live credential scanning	Verified credential discovery across repos
Gitleaks	Pattern-based secret scanning	Fast CI/CD integration, custom rules
Nuclei	Template-based vulnerability scanning	Exposed tokens in web responses
Trivy	Container and filesystem scanning	Secrets in Docker images and filesystems
KeyHacks	API key validation techniques	Verifying discovered keys are valid

Internal Links

Cloud Security Scanning Tools for AWS, GCP, and Azure — comprehensive cloud security tool comparison
API Hacking for Bug Bounty — API testing techniques that complement secrets discovery
Bug Bounty Automation Scripts and Tools — automate your secrets scanning workflow
Container Security Testing for Bug Bounty — find secrets in Docker and Kubernetes environments
Bug Bounty Methodology Guide — where secrets testing fits in your overall methodology
How to Write Bug Bounty Reports — report secrets findings effectively