Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
paraphrased
C: "hey, we've seen the ticket resolved with a bug bounty rewarded to you! congratulations!"
C: "we've talked about it today on our meeting and think we deserve 85% - since it was discovered by you while working on our contract and system!"
That was so bizarre to me and I was speechless for a good 10 minutes, didn't even have any witty reply afterwards.
I just cancelled the contract, reported the client to my middleman, explained it to the on-sight business contact and requested the final milestone to be released with one week notice until it gets to be a public case if not released through escrow.
I'm still somewhat shocked at how greedy one can be, the whole system package I was working on had estimated 150-300k post first week launch (tons of existing clients merged and unified into one system, with much more paid and feature stuff etc.), the bounty I got was around 3.5k, it still didn't sink in me.7 -
Watch out for these fucking bug bounty idiots.
Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.
Might be useful for some people but not so much for me.
It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.
It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.
I had another one recently though that was a total disgrace.
"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."
It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.
The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.
In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.
It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.
It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.
These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.
The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.4 -
"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," according to the report of Bleeping Computer.
Vulnerability hunter Vinoth Kumar reported and later Starbucks responded it as "significant information disclosure" and qualified for a bug bounty. Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems and add or remove users with access to the internal systems.
The company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities.6 -
Fixed a bug in a code wrote 11 years ago.
It took 11 years for a user to find a bug.
The user must have a prize: a Bug Bounty.
My Boss does not like Bug Bountis
4 -
Apple paid bounty hunter 18k instead of 250k by silently tweaking their help page, so it seems like the bug is less severe.
Dear apple, I defended you from baseless and opinionated attacks just like I defend every company that is bashed for no reason, but this is some straight up bouba shit. I will still be fair when it comes to your products, still never silencing bugs and downsides and praising what deserves to be praised, but I will always mention this incident when someone asks me about _working_ at apple. That kind of ethics bs can't be silenced just because I enjoy your new arm chip.
https://thezerohack.com/apple-vulne...13 -
A few days back I read an article about ethical hacking and get rewarded for bug bounty. I thought that might be interested.
AND
I'm about to send out my first ethical hack report to a company! I'm nervous because I don't know how they'll respond. It's an xss vulnerability, and I really hope they'll fix it.5 -
Interesting thing. Ya know how when turning on your phones hotspot it has to verify that you are in fact allowed to use a hotspot. Well if you have Unlimited Data like myself, hotspotting is not allowed. HOWEVER, if you spam the hotspot button, it after several tries, gives up and lets you hotspot. THIS IS MY LITTLE TRICK. NO BUG BOUNTY. BESIDES, youd need my carrier.10
-
CEO announced a bug bounty programme for devs to do stuff in their free time for additional cash.
Cash is decided by business people based on their idea of how complex the given problem is.
And it's not for bugs one could just find and fix. Only some fixes/features decided by them.
Like second shift.4 -
Dear EU haters, it seems you have reasons to forgive European Beast some of its sins. EU wants to pay since coins for a bug bounty on FOSS. List includes KeePass, VLC, Putty, 7zip and Tomcat.
https://techspot.com/news/...
2 -
I don't know why I'm doing this but when I go to websites that aren't mine and found that there's a bug in their site or system, I kinda happily report these bugs and issues to their email with screenshots, findings and steps to reproduce the bug.
Just recently, I just went to a site and found a peculiar timeout error, eventhough it was less than a second to respond back. Only to find that there was an undefined JavaScript variable in their code.
Is there a bug bounty for fixing code?6 -
There is this thing we were able to take at college to get extra UCAS points.
At first I was like "fuck yeah might as well, doesn't seem too hard and its something I like so I wont be distracted"
Long story short, the website was badly designed. I got distracted. And I found out how to get admin rights over my marks (and rest of my project), and perform an xss injection.
Currently waiting for them to reply to my email asking about a bug bounty program.
Seriously guys, make sure you do proper server side checks. -
those who are wondering what is that software which is bug free, here is the ans;
tex ia bug free and has bounty to find bugs.1 -
Hey everyone,
I am trying to become a bug bounty Hunter on hackerone. Any tips? I am unable to find bugs.😂2
Top Tags
Weekly Rant
View