I found a major vulnerability in an RBI-registered app and was offered a job

This RBI-registered app bug is a serious one. I intercepted their APIs, and their APIs were vulnerable as hell. This app has 100k downloads and more than 50 employees. I just can't imagine how they can have such a kind of bug. First of all, they didn't apply rate limiting to the sending OTP API, and there was no rate limiting on the verify OTP API, and the OTP itself was 4 digits. Now you can imagine what I would say. One can brute force their API easily. And then another bug: using a random token and any random number, one can generate an account. Now, with a script, one can create millions of profiles in 1–2 minutes easily, with no rate limiting on that also. And then one can place as many orders as they want. I reported this bug, and they offered me a job. Quite interesting.

I found a major vulnerability in an RBI-registered app and was offered a job screenshot 1
I found a major vulnerability in an RBI-registered app and was offered a job screenshot 2
I found a major vulnerability in an RBI-registered app and was offered a job screenshot 3