czwartek, 20 lutego 2020

Bug bounty scam program

I think now it's time to finaly write few words about the one 'bug bounty' program I had a 'pleasure' to try. Today we will talk about HackerOne platform. Below few details about why (in my opinion) this is scam. Here we go...
We will start here:


As you can see on the banner it SHOULD BE 'the most trusted hacker-powered security platform'.

But my question is: trusted by who? We will get back to that.

So, the story started yesterday: I decided to sit back again with the H1 platform and find a target to get some cash. After a while of searching I used this one target as a warmup:


Not so many 'bugs found' so it should be easier to find one during my 'research'.

After a while I found a nice classic XSS bug in search form:

 


 H1 ;) tag was added to the request, response looks like this:

 

When I saw that H1 html tag is working I decided to check some JS-based payloads, for example:

 

Results presented on the screen below:


Cool, isnt' it? So it was a time to create another new ticket on HackerOne platform.

Done (png also attached to this post + request in TXT file attached to the ticket):


I stopped here to see how HackerOne will handle my ticket this time. In the meantime (read: today) I tried to recreate the poc again - and guess what? ;) It's fixed! So when I got back to my place, I decided to check the answers (hopefully with the bounty) from HackerOne Team... This is what I received:


Wait.. WHAT?  :D

"How to find the vulnerable functionality"?! xD I mean, who is working there? Who is reading the tickets? Anyone who even try to check OWASP? Or this is a platform to 'give us your bug, we'll fix it and we'll close your ticket with some weird description as an answer'?

Let me guess:



So when I received 'answers' like those on the screens above I decided that this is pointless to even try to get any legal cash from HackerOne platform. This is scam to get your bugs and not pay you.

My heros are: user retina and defenitely user nasr0x01.

...and like I see, I'm not the only one scammed:


So after all of this - I think it's a good idea to not be a part of HackerOne platform anymore.

It's pointless waste of time (even if you think you will "help someone"). ;)


All tickets closed with the same answer. So now you know why I'm not participating in 'all the bugbounty programs'. Simply - I don't trust them any more.

Summary: avoid HackerOne. In my opinion it's a platform to get the cash from you. Not for you. ;)

Take care!

See you next time.

Cheers



Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)