MSSQL Threat Hunting: Paid to Break It - A $100K+ Bug Bounty Journey

A deep dive into how MSSQL behaves under real-world attack conditions, especially inside managed cloud platforms where trust boundaries are often misunderstood. In this session, I’ll share the journey of threat hunting MSSQL across major cloud providers, uncovering vulnerabilities that allowed privilege escalation and sensitive data exposure, ultimately resulting in more than $100K in bug bounty rewards.
The talk walks through how seemingly “safe” roles, features, and automation mechanisms, such as jobs, replication, triggers, cross-database and system procedures can become powerful escalation vectors when combined in the right way. I’ll discuss how attackers can explore design assumptions to move from limited access to full control, both in on-prem and managed cloud environments.
Beyond the technical findings, this session also covers what real-world bug bounty hunting looks like: dealing with providers who don’t always agree with your conclusions, and discuss about the ethical line between research and exploitation.

• Understand how MSSQL behaves under real-world attack conditions in both on-prem and managed cloud environments • Recognize how commonly trusted roles, features, and automation paths can be abused to enable privilege escalation and data exposure • Gain insight into the realities of bug bounty hunting, including disclosure challenges and ethical boundaries