From a6d3e3c1d569559fb5cd3b7a0e5df903edd0d8d8 Mon Sep 17 00:00:00 2001
From: lain <lain@noreply.localhost>
Date: Sun, 12 Apr 2026 20:19:05 -0400
Subject: [PATCH] Add readme.MD

---
 readme.MD | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 readme.MD

diff --git a/readme.MD b/readme.MD
new file mode 100644
index 0000000..8026a51
--- /dev/null
+++ b/readme.MD
@@ -0,0 +1,17 @@
+# Paddle Session Replay — Bug Bounty PoC
+
+> Research use only. Test against your own account.
+
+## What it does
+Demonstrates that `paddle_session_vendor` is the sole auth token on
+`vendors.paddle.com/dashboard/api/userinfo` with no IP/UA/device binding.
+
+## Install
+pip install requests rich
+
+## Usage
+python exploit.py
+# paste your paddle_session_vendor token when prompted
+
+## Findings
+See report.md for full vulnerability writeup.
\ No newline at end of file