Entries tagged as bugbounty
hackerone security serendipity sqlinjection websecurity xss 0days 27c3 addresssanitizer adguard adobe aead aes afra aiglx algorithm altushost android antivir antivirus aok apache apt asan auskunftsanspruch axfr azure badkeys barcamp bash berlin berserk bias bigbluebutton bleichenbacher blog bodensee botnetz braunschweig browser bsi bsideshn bufferoverflow bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass c ca cacert cbc ccc cccamp11 cellular certificate cfb chcounter chrome chromium clamav clang clickjacking cloudflare cmi cms code compiz conflictofinterest cookie crash crypto cryptography csrf cve darmstadt datenschutz deb debian dell deolalikar diffiehellman dingens diploma diplomarbeit distributions dns domain drupal easterhegg edellroot eff email encryption english eplus facebook fedora fileexfiltration firefox firewall fortigate fortinet forwardsecrecy freak freesoftware freewvs frequency fsfe ftp fuzzing gajim gallery gcc gentoo ghost gimp git glibc gnupg gnutls gobi google gpg gsm gsoc gstreamer hacking hannover hash heartbleed helma http https infoleak informationdisclosure internetscan ircbot itsecurity jabber javascript jodconverter joomla karlsruhe kaspersky key keyexchange komodia leak lessig libreoffice linux luckythirteen malware maninthemiddle mantis math md5 memorysafety mephisto microsoft milleniumproblems mitm mobilephones modulobias moodle mozilla mpaa mplayer mrmcd mrmcd100b mrmcd101b multimedia mysql napster nessus netfiltersdk newspaper nist nss ntp ntpd observatory onlinedurchsuchung openbsc openbts openleaks openpgp openssl openvas osmocombb otr owncloud packagemanagement padding panda papierlos password passwordalert passwort passwörter pdo pgp phishing php pnp poodle privacy privatekey privdog protocolfilters provablesecurity pss python rand random rc2 redhat rhein rpm rsa rsapss rss s9y salinecourier schlüssel science server session sha1 sha2 sha256 sha512 shellbot shellshock sicherheit signatures slides smime snallygaster sni sniffing spam squirrelmail ssl staatsanwaltschaft stacktrace study stuttgart subdomain sunras superfish support talk taz thesis tls tlsdate toendacms transvalid überwachung ubuntu unicef unicode update updates useafterfree userdir utf-8 verschlüsselung virus vlc vortrag vulnerabilities vulnerability web webapps webmontag wiesbaden windows windowsxp wiretapping wordpress x509 xgl xine xmpp xsa zerodays zugangsdaten zzuf calendar ipv6 mod_rewrite breach content-security-policy cookies core coredump crime csp grsecurity heist samesite segfault symlink time webhosting webroot webserver okte
Monday, November 12. 2018
How my personal Bug Bounty Program turned into a Free Security Audit for the Serendipity Blog
HackerOne is currently one of the most popular bug bounty program platforms. While the usual providers of bug bounty programs are companies, w while ago I noted that some people were running bug bounty programs on Hacker One for their private projects without payouts. It made me curious, so I decided to start one with some of my private web pages in scope.
The HackerOne process requires programs to be private at first, starting with a limited number of invites. Soon after I started the program the first reports came in. Not surprisingly I got plenty of false positives, which I tried to limit by documenting the scope better in the program description. I also got plenty of web security scanner payloads via my contact form. But more to my surprise I also got a number of very high quality reports.
This blog and two other sites in scope use Serendipity (also called S9Y), a blog software written in PHP. Through the bug bounty program I got reports for an Open Redirect, an XSS in the start page, an XSS in the back end, an SQL injection in the back end and another SQL injection in the freetag plugin. All of those were legitimate vulnerabilities in Serendipity and some of them quite severe. I forwarded the reports to the Serendipity developers.
Fixes are available by now, the first round of fixes were released with Serendipity 2.1.3 and another issue got fixed in 2.1.4. The freetag plugin was updated to version 2.69. If you use Serendipity please make sure you run the latest versions.
I'm not always happy with the way the bug bounty platforms work, yet it seems they have attracted an active community of security researchers who are also willing to occasionally look at projects without financial reward. While it's questionable when large corporations run bug bounty programs without rewards, I think that it's totally fine for private projects and volunteer-run free and open source projects.
The conclusion I take from this is that likely more projects should try to make use of the bug bounty community. Essentially Serendipity got a free security audit and is more secure now. It got this through the indirection of my personal bug bounty program, but of course this could also work directly. Free software projects could start their own bug bounty program, and when it's about web applications ideally they should have have a live installation of their own product in scope.
In case you find some security issue with my web pages I welcome reports. And special thanks to Brian Carpenter (Geeknik), Julio Cesar and oreamnos for making my blog more secure.
The HackerOne process requires programs to be private at first, starting with a limited number of invites. Soon after I started the program the first reports came in. Not surprisingly I got plenty of false positives, which I tried to limit by documenting the scope better in the program description. I also got plenty of web security scanner payloads via my contact form. But more to my surprise I also got a number of very high quality reports.
This blog and two other sites in scope use Serendipity (also called S9Y), a blog software written in PHP. Through the bug bounty program I got reports for an Open Redirect, an XSS in the start page, an XSS in the back end, an SQL injection in the back end and another SQL injection in the freetag plugin. All of those were legitimate vulnerabilities in Serendipity and some of them quite severe. I forwarded the reports to the Serendipity developers.Fixes are available by now, the first round of fixes were released with Serendipity 2.1.3 and another issue got fixed in 2.1.4. The freetag plugin was updated to version 2.69. If you use Serendipity please make sure you run the latest versions.
I'm not always happy with the way the bug bounty platforms work, yet it seems they have attracted an active community of security researchers who are also willing to occasionally look at projects without financial reward. While it's questionable when large corporations run bug bounty programs without rewards, I think that it's totally fine for private projects and volunteer-run free and open source projects.
The conclusion I take from this is that likely more projects should try to make use of the bug bounty community. Essentially Serendipity got a free security audit and is more secure now. It got this through the indirection of my personal bug bounty program, but of course this could also work directly. Free software projects could start their own bug bounty program, and when it's about web applications ideally they should have have a live installation of their own product in scope.
In case you find some security issue with my web pages I welcome reports. And special thanks to Brian Carpenter (Geeknik), Julio Cesar and oreamnos for making my blog more secure.