Hello everyone 🙋‍♂️ This story goes back to my initial days in bug hunting, when I was highly motivated to find bugs, earn Hall of Fame mentions, and continuously learn. LinkedIn played a big role in pushing me forward — seeing others share valid submissions and bounties gave me the confidence to start and stay consistent.

One day, I came across multiple posts related to security findings at NASA. As a beginner, it felt intimidating because finding a bug in such a large organization seemed extremely difficult. Still, I decided to give it a try instead of overthinking. Before starting, I took help from my companion, who explained EXIF metadata and how images can unintentionally expose information such as GPS location, camera details, and device data.

While testing, I discovered an image upload feature and uploaded an image containing EXIF metadata. After extracting the uploaded image and analyzing it using an online EXIF metadata viewer, I was able to see GPS coordinates and other sensitive details. Many researchers consider EXIF metadata exposure a low-hanging fruit and often ignore it, but large organizations like NASA treat it as a valid security concern due to the real-world privacy and operational risks involved. Realizing this made the discovery even more meaningful for me as a learner.

A couple of days after submitting the report, I received a response stating that the issue had already been reported by another researcher and my submission was marked as a duplicate. Although it was disappointing at first, I understood the value of the journey.

In my upcoming post, I'll share how my recon -X strategy later helped me find a valid P3 vulnerability at NASA, which eventually led to a Hall of Fame recognition — a reminder that persistence, learning, and attention to "small" details truly matter.