Platforms like HackerOne, Bugcrowd, and Intigriti pay for reporting vulnerabilities. If you discover a site is vulnerable to credential stuffing (e.g., no rate limiting), that is a legitimate security finding. You would report it, not exploit it.
To ensure that your handling of URL logging and password security is as safe as possible, consider the following best practices: urllogpasstxt work
A password manager (Bitwarden, 1Password, LastPass, or Apple/Google's built-in managers) generates and stores for every site. Even if one log:pass pair leaks, attackers can't use it anywhere else. Platforms like HackerOne, Bugcrowd, and Intigriti pay for