Guess who just got rewarded from the Internet Fuckin Bug Bounty 😎

paraphrased

C: "hey, we've seen the ticket resolved with a bug bounty rewarded to you! congratulations!"
C: "we've talked about it today on our meeting and think we deserve 85% - since it was discovered by you while working on our contract and system!"

That was so bizarre to me and I was speechless for a good 10 minutes, didn't even have any witty reply afterwards.

I just cancelled the contract, reported the client to my middleman, explained it to the on-sight business contact and requested the final milestone to be released with one week notice until it gets to be a public case if not released through escrow.

I'm still somewhat shocked at how greedy one can be, the whole system package I was working on had estimated 150-300k post first week launch (tons of existing clients merged and unified into one system, with much more paid and feature stuff etc.), the bounty I got was around 3.5k, it still didn't sink in me.

Watch out for these fucking bug bounty idiots.

Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.

Might be useful for some people but not so much for me.

It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.

It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.

I had another one recently though that was a total disgrace.

"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."

It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.

The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.

In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.

It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.

It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.

These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.

The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.

Waiting for that stack overflow bounty

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," according to the report of Bleeping Computer.

Vulnerability hunter Vinoth Kumar reported and later Starbucks responded it as "significant information disclosure" and qualified for a bug bounty. Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems and add or remove users with access to the internal systems.

The company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities.

CEO announced a bug bounty programme for devs to do stuff in their free time for additional cash.

Cash is decided by business people based on their idea of how complex the given problem is.

And it's not for bugs one could just find and fix. Only some fixes/features decided by them.

Like second shift.

Interesting thing. Ya know how when turning on your phones hotspot it has to verify that you are in fact allowed to use a hotspot. Well if you have Unlimited Data like myself, hotspotting is not allowed. HOWEVER, if you spam the hotspot button, it after several tries, gives up and lets you hotspot. THIS IS MY LITTLE TRICK. NO BUG BOUNTY. BESIDES, youd need my carrier.

A few days back I read an article about ethical hacking and get rewarded for bug bounty. I thought that might be interested.

AND

I'm about to send out my first ethical hack report to a company! I'm nervous because I don't know how they'll respond. It's an xss vulnerability, and I really hope they'll fix it.

Fixed a bug in a code wrote 11 years ago.
It took 11 years for a user to find a bug.
The user must have a prize: a Bug Bounty.
My Boss does not like Bug Bountis

DevRant needs a bug bounty program where they give out stress balls

I’m an idiot. Stackoverflow issue that I documented to a T. Javascript. So I put requirement of not having jquery or framework.

Get a comment about do I know it is working? My answer, debugging. They respond back with a question about debugging and some details I totally didn’t read.

Well, that was the bug. Chrome debugger was showing a message I didn’t understand. So they answered my problem perfectly.

But before realizing he answered my issue, I blew up. Of course I know what is going on. The debugger is showing me....did you even run my example?

I almost felt like giving up as a developer. Here is this awesome guy, solving my issue, and some dumbass like me has to be frustrated. Now he won’t respond to take a bounty he so awesomely deserves.

I’m still a dev. I just don’t feel so professional anymore...

I don't know why I'm doing this but when I go to websites that aren't mine and found that there's a bug in their site or system, I kinda happily report these bugs and issues to their email with screenshots, findings and steps to reproduce the bug.

Just recently, I just went to a site and found a peculiar timeout error, eventhough it was less than a second to respond back. Only to find that there was an undefined JavaScript variable in their code.

Is there a bug bounty for fixing code?

I need advice.

So let's say, hypothetically, I found a site with a user data leak.

Would it be illegal if I only told them where the leak was for a bounty?

I am NOT going to distribute the user data. I just don't want to work for free, you know?

Again: NOT DISTRIBUTING USERDATA. No blackmail. Just information that their QA should have caught.

I crafted my masterpiece question on stackoverflow yesterday, but didn't got enough attention.
However I seen already have the answer.
Should I start a bounty?

A bug bounty program, but the bounty is paid by you the dev. muhaha 😆

The fires in australia killed something like half a billion animals, and it's kind of sad, all that potential barbecue going to waste.

We have the means to solve this. With KNAWWWWLEDGE.

What we do is hook up buckets to a bunch of big ass drones and have some sort of contest to see who can put out the most acreage of fire. People will come from all over for the annual "australian fire olympics."

Shit, put a $1 million dollar bounty on "most acreage put out" stream it on twitch, youtube, netflix, you name it.

Fires would be out in a day or three.

Do you think my credit card company has a big bounty? String formatting really isn't that difficult.

Yesterday whole day ive been trying to deploy an ios app to app store from a flutter project but kept getting "module not found" in build compilation error

I thought to myself am i fucking dumb?

Or maybe i am smart but extremely UNLUCKY in life like always?

Today i googled for this error and one of the top stack overflow answers with a +50 bounty points, first sentence they answered was "this is a very bad and UNLUCKY error, after trying to solve this issue for hours i finally found the solution..."

......

...........

There is this thing we were able to take at college to get extra UCAS points.

At first I was like "fuck yeah might as well, doesn't seem too hard and its something I like so I wont be distracted"

Long story short, the website was badly designed. I got distracted. And I found out how to get admin rights over my marks (and rest of my project), and perform an xss injection.

Currently waiting for them to reply to my email asking about a bug bounty program.

Seriously guys, make sure you do proper server side checks.

If all software vendors had bug bounty programs. I'd be a billionaire by now........

First time ever I put a bounty(stackoverflow) on my question. Didn't get a satisfactory answer till the end but found out the reputation does get deducted!
Now, that I think about it, it makes sense as people might not award bounties to save their reps otherwise.

those who are wondering what is that software which is bug free, here is the ans;
tex ia bug free and has bounty to find bugs.

We need to create simple form for colection few particular people data for some bounty programme.

We have ready-made website that does similar stuff, but it was outsourced and we have compiled javascript (sidenote - im only person in this place who understands f**ng javascript but hates it deeply)

Anyway, they come to me, and say that creating this google doc will take them few minutes and it seems that editing few divs in the site and creating second one with another subdomain will do the trick.

I tell them that it will take a lot of time to reverse engeneer that compiled react.js website to change few divs. But they insist.

So we start out, I pop up the terminal, copy over site, add nginx config for it, apply SSL to it, we are already good 5-10 minutes in, first roadblock - CORS. At this point I tell them that with google form they would be already done.

What I hear?
But we will need to make again privacy policy

Me:
Can you just link privacy policy from this site?

They:
Oh... it makes it easy now.

My internal voice:
next time try to use brain....

Hey everyone,
I am trying to become a bug bounty Hunter on hackerone. Any tips? I am unable to find bugs.😂

👨‍💻 White hat

🤖❓️🤡❗️ Slack

😡😨😨😨
😨😨😨🙄 B2B clients

🤖🤡🤖🤡
🤡🤖🤡🤖
🤖🤡🤖🤡
🤡🤖🤡🤖 HackerOne

🤖 🤖 🤖
🤡🤡🤡🤡
🤡🤡 🤖 🤖
🤡🤡🤡 🤡
🤖 🤖
🤖 🤖
🤖🤖 🤖🤖 Zendesk

What does 317A7 means? Any guess! crack this name and you shall be awarded (only the first one!) with chunk of bitcoin....