I am using this thread, because I need a little help, Is there any mechanism available on bugcrowd, so that we can ask someone to re-check our report ?
I am asking this because, I have asked on a programme, If I am able to provide more info, then they will recheck this issue. I have provided the relevant info, in the report thread.
But didn’t go any reply, about 4 days have been passed.
Hi @ghostin! Yes, email support@bugcrowd.com and include the Bug ID # in the email. Our team will check the submission for you and help you with any questions or concerns.
In instances where exposed credentials are found are we expected to test them on a site/app without sending them over a secure, tunneled connection like a VPN? I ask this because aside from wanting to respect the expected standards in workflow of this platform and the very nature of the work itself, which involves companies lending themselves to testing by unknown and in some cases unverified pen testers, primarily my concern stems from bug bounty videos where narrators have stated not to spam credentials at a site because it’s frowned upon by the owner of the site and, more directly, your IP may be blacklisted for some time.
Do I practice limitation and leave success to a game of chance in that I don’t test every cred pair from an outdated(dev environment or old site build) set but instead hand pick a few? If taking the proactive measure of using anonymizing services, assuming it’s something that isn’t frowned upon, wouldn’t this raise unnecessary alerts for the security team of the company when seeing unauthorized attempts to login to a function or view of an app/site using expired credentials or logins from non-company VPN, or perhaps a geographic location not associated with prior logins with certain creds?
hey @gogoPWR thanks for the question Are you coming from a pentest background?
Reason I’m asking is we tend to get these sorts of questions from pentesting folks, which I really appreciate. It is a weird thing, to hack on a customer from an unknown IP and to do so whenever you want.
What some folks do to avoid IP bans/WAFs penalizing their home IP range - they’ll do some of their testing/recon/etc via an external box hosted elsewhere. DigitalOcean is one of the better hosts in this realm, as far as I can tell - https://www.digitalocean.com/pricing/
Hi @samhouston, thank you for the rapid response to my question.
To answer yours, I do not come from pentest nor other profession with similar background. I am a newbie and am fascinated by crowdsource web app assessment platforms like Bugcrowd. I’ve been watching videos from experienced former and current pentest individuals moonlighting as bug bounty hunters, and full-time bug hunters, and this concern has been addressed in the videos as the individuals have experienced it themselves. What hasn’t been touched on however is your answer.
I will consider external VM hosting as a primer in my workflows
Thanks for your help!
So if a company is participating in a bug bounty program, do I have carte blanche freedom to throw everything I have at them within their scope/conditions/rules?
Hello everyone.
I’ve been playing with ctfs like hackthissite and hack the box for a while and now I have decided to dive deep in bounties but I’m still pretty much a begginer… I’m halfway on the hacker’s handbook and I’ve been trying to get a bounty for a month, but no success (yet ).
By now I’m pretty confident using burp suite, owasp zap and I’m currently learning a bit about nmap… I just watched 2 Jason Haddix videos about the bug bounty methodologies and I’m a bit confused and worried about the legalities of using nmap since on nmap’s documentation they state that the ideal thing is having written permission to do port scanning in order to avoid legal issues…
So my question is, am I allowed to do port scanning and subdomain enumeration on a program?
I’ve been avoiding using it as I am not sure and I’m relying on only passive recon methods such as google dork, shodan, virustotal, etc…
Kind of/Mostly. As long as you aren’t negatively impacting the performance of the app, or spamming their contact boxes will tons of emails/payloads, etc. - you should be okay. Throttle your scanner, make sure you’re not disruptive, and play within the scope
I’m sure there are exceptions, but broadly speaking you are fine running nmap and other scanners. Just make sure you’ve throttled them a # of requests per sec that is low impact. Be relatively conservative there, as it can sometimes be surprising what one researcher with nmap can do to some of the biggest websites out there…
This is similar to my previous post/answer - as long as you’re low impact, not likely to spike up on someone’s AWS graph, etc - you should be OK.
Play within the scope of the bounty and make sure to read what the program’s brief says what is allowed and not allowed. Read Bugcrowd’s disclose.io disclosure policy (it’s our bug disclosure framework) to get a good understanding of your Contract w/Bugcrowd and the customer… As long as you do that (play within the rules), you should be fine
Hello, I’m new here. I’m taking a look at one of the sites listed, and I’m able to reliably cause a “500 Internal Service Error” response. Does this qualify as a bounty worthy bug? My thinking is, presumably this error would stop execution of one of the application servers/threads. If I were malicious I could spam this and kill their website. Is that right or anywhere close to right?
@ALittleLight - It wouldnt qualify for a bounty itself (as far as I know) - but you could use it for potential OSINT gathering. Does the error also give you any info about what software the server is running, which version, etc? That could be helpful and be used to find a vulnerability.
What you’re describing would basically be a DoS (Denial of Service), which a lot of bounty programs have as out of scope.
Hİ first of all hello to everyone i have a question yesterday i submit a vulnurability about subdomain takeover but the problem is one of your staff replied to me and he said that this is not critical issue. i know it is critical. I found the vulnurability and reported it the only problem is i didn’t take the subdomain just show them this can be done by anyone your staff rejected it now what will i do?
I don’t know what is going on my bug report.
It was submitted 30 days ago.
when I was contact Bugcrowd team support@bugcrowd.com & they reply me
" Program owner isn’t responding so that’s why we’ve escalated this program internally. We continue to monitor the situation via your other tickets.
We don’t have an ETA for when an escalation will be complete. Our escalations last as long as it takes to get an answer for your researchers. We will keep an eye on Program response and provide an update once we have one."
so, my question is this bug report will be valid or not?
it is almost 30 days and I don’t get update news.
@Devlife123 - The email that support team sent is accurate. We are limited in our ability to get a customer to respond to a bug. In this sort of situation, our team monitors all of our programs and keeps track of submissions like yours. That team then works with others inside Bugcrowd in an effort to get that customer to accept and reward your bug.
Unfortunately, we don’t know how long it will take for this process to complete. I would encourage you to no longer submit bugs to that bounty/company until they reward your bugs.
Just started, First is there some sort of age limit? Also, am i able to use the free version of Burp suite to be able to find vulnerabilities effectively? And any resources to learn from for a beginner that is known to be pretty good? If i cant use the free version of burp suite then are there any other free but good suggestions on what else can be used?
Thanks for the responding.
Such type of bug report is happen previously in the bugcrowd program.
So, with the reference of them
How many days or months takes for the validation by the company?
Hi, this is my first question on this forum.
How do you organize information of your targets (their scope, domains, found attack vectors, progress, and so on…)
In bug bounty, there are many targets and endpoints to attack. So I want to know useful tools or methods to organize their information.
Are you coming from a pentest background?
).