Add readme.MD

readme.MD

@@ -0,0 +1,17 @@
+# Paddle Session Replay — Bug Bounty PoC
+
+> Research use only. Test against your own account.
+
+## What it does
+Demonstrates that `paddle_session_vendor` is the sole auth token on
+`vendors.paddle.com/dashboard/api/userinfo` with no IP/UA/device binding.
+
+## Install
+pip install requests rich
+
+## Usage
+python exploit.py
+# paste your paddle_session_vendor token when prompted
+
+## Findings
+See report.md for full vulnerability writeup.