commit a6d3e3c1d569559fb5cd3b7a0e5df903edd0d8d8
Author: lain <lain@noreply.localhost>
Date:   Sun Apr 12 20:19:05 2026 -0400

    Add readme.MD

diff --git a/readme.MD b/readme.MD
new file mode 100644
index 0000000..8026a51
--- /dev/null
+++ b/readme.MD
@@ -0,0 +1,17 @@
+# Paddle Session Replay — Bug Bounty PoC
+
+> Research use only. Test against your own account.
+
+## What it does
+Demonstrates that `paddle_session_vendor` is the sole auth token on
+`vendors.paddle.com/dashboard/api/userinfo` with no IP/UA/device binding.
+
+## Install
+pip install requests rich
+
+## Usage
+python exploit.py
+# paste your paddle_session_vendor token when prompted
+
+## Findings
+See report.md for full vulnerability writeup.
\ No newline at end of file