My First API Bug Bounty Bugs: GraphQL & Broken Access Control | Abraham Gonzalez

In this inspiring talk from APISECCON 2026, Abraham Gonzalez (known as pop0sec in the bug bounty community) shares his journey from Defcon 33 attendee to paid bug bounty hunter in under six months — starting with APISEC University's API Pen Testing course. Abraham walks through his first two paid bounties in detail: Bug #1 — GraphQL Sensitive Data Exposure ($700): While testing a Fortune 500 tire retail company, Abraham found an unauthenticated GraphQL endpoint with introspection enabled. Using GraphQL Voyager to map the schema, he discovered queries returning order tracking numbers and URLs — accessible to anyone without a token. Some shipping providers expose full names and addresses alongside tracking info, making this a real privacy risk. Bug #2 — Broken Access Control / Business Logic ($4,500): At a major national burrito chain, Abraham intercepted the API call made when adding a tip at checkout and found a discount field in the PUT request payload. By setting the discount to (total − $1), he brought an $83 order down to $1.93 — and the charge actually went through. He filed the report before 1 AM and had a payout by 10 AM. Abraham also shares honest stats from his first six months: 3 paid bugs ($5,200 total), 5 duplicates, 6 rejections — and why that's completely normal. He closes with a message: keep going. #BugBounty #GraphQL #BrokenAccessControl #APISecurity #HackerOne #APISECCON