I would love to get your feedback and get a discussion going around this question:
What would you like to ask Bug Bounty customer companies? (aka the companies that have bug bounties on their product, sites, services, etc)
If you could connect directly with the companies that run Bug Bounty programs on their products, what would you ask them?
I honestly want to know more about the battles with their legal departments and how they make them understand why bug bounties are beneficial to them.
Also, The reason and thought process behind why some companies only have a responsible disclosure instead of a bug bounty would be interesting (excluding new startups or smaller companies that might not be able to afford it).
2 Likes
What I want to know with all bounties whether if it’s bugcrowd ran or non-bugcrowd is “Who am I communicating with?”. In the past I’ve been able to analyze the writing styles and pin-point certain bugcrowd members. Knowing this helps me know what technical skill the person has and the logic behind their behavior.
A question for some bounty programs is “Why in the world did you mark that bug invalid?”. The only public bugcrowd bounty I found quite unpleasant to work with was Fastmail. A private bounty was recently unpleasant, until bugcrowd intervened and made it pleasant. My hat goes off to the bugcrowd team.
1 Like
Sorry to reply to an old thread @zombiehacker =P
We really try and emphasize respecting the researchers, both their time and communications around bugs. If you have any communications problems with a self managed bounty (or any bounty really), feel free to email support@bugcrowd.com, we all monitor that inbox.
In what ways could we better prepare clients in the future?
I know some bugs are complex at 1st glance and write ups are sometimes sped through to try and get the bug “in” first. I usually follow up on bugs with requests for videos, Proof of Concept exploits, and more descriptions on impact of the bug.
@jhaddix, I am sending my reply privately.
I would ask the following:
-
Why is the scope so unclear? It is fun to find all your subdomains, especially when I am the one finding them before other testers , but it is in your best interest to specify all the sites I should target. Again, Black box testing is fun but not always the best solution for you.
-
Can I have a privileged account for X site? Many times vulnerabilities are found where only privileged users have access. I am not talking about admin accounts but something just above the standard user. In some tests where I was given a privileged account, I found out pretty bad vulnerabilities (stored xss when a standard user sends a specific payload; CSRF; Sqli, shell upload; rce).
-
Can I try to brute-force the password for the following standard accounts and staff accounts? Yes, I understand it is risky but you should understand that your password policy is bad and you don’t have a lockout policy. I play by the rules and don’t try easy combinations of accounts such as admin, root, admin@site.com, test, test@site.com but that doesn’t mean that malicious users won’t try. If your password policy allows 6 chars passwords and you have 100 staff members, I am pretty sure I can find at least one account with a very weak password.
1 Like
This is more of a comment than a question, but relevant to the scope discussion above -
I keep running into subdomains that fall within the advertised scope of a bounty, but are clearly out of scope (i.e. “files.company.com” = Google drive, etc.) That example is fairly obvious, but many are not.
I wish there was a process for getting the scope updated. Seems like that would be pretty easy. I did try to notify one company via a vuln write-up and received an “out of scope” reply …(oh, the irony…).
If customers don’t update their bounties, maybe we can have a forum subject to share this data with other researchers and keep us all out of trouble? Forum topic “Out of Scope Systems” (and provide the reasoning).
Food for thought.
~G.