This case doesn’t seem very complex, except that it was my first case and it pushed me towards security as a career. It happened in 2008 when I had joined my first company as an intern. My mentor Prof. B. V. Buddhadev who was also a consultant to the company had asked me to do a VAPT of the product they were developing.
Since I was a fresher in VAPT I learned tools myself. At that time we didn’t have easily available tools, and books were a dream. So I learned by experimenting. I learned how to use Paros proxy (on which OWASP ZAP is based), and managed to find out critical vulnerabilities in session management as well as password management.
My first bug report was pretty simple and to-the-point. The developers first opposed the findings but then they accepted and patched them (hopefully).