so recently i submitted a bounty to a company and the exploit revolves around link expansion where if you specify any url it calls that url for a preview and displays the preview
usually 127.0.0.1 and localhost is blocked but the ipv6 version isnt, so i could perform ssrf
i sent the bounty and this is the response they gave
It seems you are supplying these urls to crawlers which are responsible for fetching external URLs to generate previews. For obvious reasons these crawlers don't have access to any internal system. The results you show don't prove an SSRF issue as your requests never travel within the corpnet.
any this is my response that i am planning on sending
Normally, the crawlers are blocked from sending requests to localhost and 127.0.0.1, but this ipv6 bypasses that filter (you can test this by putting localhost or 127.0.0.1 in the link expansion) When the crawlers are fetching the external url, and an internal url is specified, wouldn't this mean that the request is being sent to that internal destination. Moreover, when ports are specified on that internal ip, the crawler is basically sending a request to that port of that internal destination; if the port is open, then the request is successful. Otherwise, it shows up as invalid.
so is the issue valid or is it my lack of understanding