Was wondering, i understand a bugcrowd managed bug bounty to mean all interactions with the application is fully logged and verifiable by bugcrowd? (i stand to be corrected).
By this mean audit trails, timestamps and other related activity by registered researchers on a bounty.
I would expect that this is done to keep researchers honest and also to provide last resort forensics on a submission
Tearing my hair out on something and closure would be nice
Just wondering if this is the case
Hey @ph03n1x, we don’t log any of your work that you’re doing to find bugs. We do have access to your submissions on Bugcrowd and we can get involved with a submission if a customer requests our help, or if you reach to our support.
What kind of stuff are you looking for to be audited?
Here goes. Let’s say a bug was submitted and a bugcrowd analyst engages you on it.
According to the guidelines of the particular bounty, a researcher may only create an account on the target using his/her bugcrowd ID.
Now, bugcrowd analysts are extremely helpful, but oddly hardnosed(great combination, by the way:grinning:), he takes a look at the submission and after a few lines of chat , he goes “show me with another account”.
The thing is , only one account is permitted, i cant open another, i dare not come out from under the bugcrowd cover. during our chat, while i’m poking around, , suddenly another bug comes up, which surprises the hell out of me.
I submit a seperate issue, and i’m engaged, sometime during this he says “please provide an account to test what you say happened” and we are back to the top of the loop
Im doing everything i can to convince the analyst that what i said is exactly what happened, everything but sending my parent’s wedding pictures:grin:, but he says no dice.
Now, i want to get to the bottom of this too, great learning experience. So if its a bugcrowd managed bounty and Crowd Control is in full effect, i was just wondering if he couldnt take a look under the hood and just follow activities done against my ID on the target to verify my point, or prove me wrong at least.
Cant divulge details of the target or submission, i’m sure you understand:wink:
We don’t keep records of the actions you take against a target (e.g. HTTP requests you’ve made, responses you’ve received).
The Customer may have those logs (or may not…) depending on their set-up.
In this case, I’d suggest explaining to the analyst that you only have one set of credentials and asking how to proceed, or maybe @samhouston can help further when he’s back at work!
and also to provide last resort forensics on a submission