Bitcoin Forum
November 21, 2017, 02:32:11 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Security bounties  (Read 100955 times)
U1TRA_L0RD
Full Member
***
Offline Offline

Activity: 126

CAUTION: Angry Man with Attitude.


View Profile
February 02, 2014, 08:41:34 PM
 #21

Hmm, Java script ? Exploits,
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
tkbx
Sr. Member
****
Offline Offline

Activity: 322



View Profile
March 13, 2014, 12:41:29 PM
 #22

Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?
rero2
Member
**
Offline Offline

Activity: 67


View Profile
March 22, 2014, 12:25:12 PM
 #23

if I find anything I will surely tell you about it.
Goodluck and hopefully there arent many vulnerabilities
bluefirecorp
Legendary
*
Offline Offline

Activity: 882


View Profile
May 24, 2014, 04:50:54 AM
 #24

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy

NLNico
Legendary
*
hacker
Online Online

Activity: 1512


DiceSites.com owner


View Profile WWW
May 25, 2014, 04:12:30 AM
 #25

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalk.org/index.php?topic=483195.0

bluefirecorp
Legendary
*
Offline Offline

Activity: 882


View Profile
May 25, 2014, 08:04:54 PM
 #26

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalk.org/index.php?topic=483195.0

Neat. Thanks a lot for the link. I'll get a few of my netsec friends to take a look at the list and see if they can find anything. Everything at bitcointalk seems pretty secure from what I've tried so far.

e1ghtSpace
Legendary
*
Offline Offline

Activity: 1190



View Profile WWW
August 12, 2014, 10:42:00 AM
 #27

Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.

██████████████████            ██████████
████████████████              ██████████
██████████████          ▄█   ███████████
████████████         ▄████   ███████████
██████████        ▄███████  ████████████
████████        ▄█████████  ████████████
██████        ▄███████████  ████████████
████       ▄██████████████ █████████████
██      ▄███████████████████████████████
▀        ███████████████████████████████
▄          █████████████████████████████
██▄         ▀███████████████████████████
████▄        ▀██████████████████████████
██████▄        ▀████████████████████████
████████▄        ████████████████▀ █████
██████████▄       ▀█████████████  ██████
████████████▄       ██████████   ███████
██████████████▄      ▀██████    ████████
████████████████▄▄     ███     █████████
███████████████████▄    ▀     ██████████
█████████████████████▄       ███████████
███████████████████████▄   ▄████████████





▄█████████████████   ███             ███   ███   ███▄                ▄███            █████            ████████████████   ████████████████▄             █████
███▀                 ███             ███   ███   ████▄              ▄████           ███████           ███                ███           ▀███           ███████
███                  ███             ███   ███   █████▄            ▄█████          ███▀ ▀███          ███                ███            ███          ███▀ ▀███
███                  ███             ███   ███   ███ ███▄        ▄███ ███        ▄███▀   ▀███▄        ███                ███           ▄███        ▄███▀   ▀███▄
███                  ███████████████████   ███   ███  ▀██▄      ▄██▀  ███       ▄███▀     ▀███▄       ████████████████   ████████████████▀        ▄███▀     ▀███▄
███                  ███             ███   ███   ███   ▀███    ███▀   ███      ▄███▀       ▀███▄      ███                ███        ███          ▄███▀       ▀███▄
███                  ███             ███   ███   ███    ▀███  ███▀    ███     ▄███▀         ▀███▄     ███                ███         ███        ▄███▀         ▀███▄
███▄                 ███             ███   ███   ███      ██████      ███    ▄███             ███▄    ███                ███          ███      ▄███             ███▄
▀█████████████████   ███             ███   ███   ███       ████       ███   ▄███               ███▄   ████████████████   ███           ███    ▄███               ███▄

|
  TRUE BLOCKCHAIN GAMING PLATFORM 
DECENTRALISED AUTONOMOUS UNIVERSES

  HOME PAGE                                                                  WHITE PAPER 
|
MakeBelieve
Hero Member
*****
Offline Offline

Activity: 602


View Profile
August 12, 2014, 08:31:34 PM
 #28

So should we test this on this actual website or should I test for vulnerabilities on a local host and the contact admin if I find any vulnerabilities on the same version? I don't want to risk getting into trouble testing on this forum just in case I do get into something I'm not suppose to unless it's allowed as long as you report it.

On a mission to make Bitcointalk.org Marketplace a safer place to Buy/Sell/Trade
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
September 08, 2014, 09:53:06 AM
 #29

Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.
what was it? unicode control codes?
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
September 08, 2014, 09:54:04 AM
 #30

Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2842


View Profile
September 08, 2014, 08:54:54 PM
 #31

Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?

It's not covered in this bounty, but I'd probably pay a little for info about some bugs of that sort. Some things (like various ways to visually defeat prohibited strings) are known bugs that aren't likely to be fixed.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Cyrus
Ninja
Administrator
Legendary
*
Offline Offline

Activity: 1778



View Profile
September 08, 2014, 09:48:01 PM
 #32

I was meaning to raise awareness about people using different characters to make their usernames visually similar to some trustworthy members on bitcointalk.
Example: ṣatoshi, theymoṣ, ṫheymos etc.*
Why not limit the charset to UTF-8, and maybe some non-visually interfering symbols?

*As of yet, there aren't any usernames containing the characters and , but I could compile a list of such characters just to show how easy it is to try and register such a username.

cakir
Legendary
*
Offline Offline

Activity: 1274


★ BitClave ICO: 15/09/17 ★


View Profile WWW
September 10, 2014, 11:29:46 PM
 #33

I've sent a pm to theymos, I hope he doesn't miss it Grin
(it's not a code hack etc.)


                  ,'#██+:                 
              ,█████████████'             
            +██████████████████           
          ;██████████████████████         
         ███████:         .███████`       
        ██████               ;█████'      
      `█████                   #████#     
      ████+                     `████+    
     ████:                        ████,   
    ████:    .#              █     ████   
   ;███+     ██             ███     ████  
   ████     ███'            ███.    '███, 
  +███     #████           ,████     ████ 
  ████     █████ .+██████: █████+    `███.
 ,███     ███████████████████████     ████
 ████     ███████████████████████'    :███
 ███:    +████████████████████████     ███`
 ███     █████████████████████████`    ███+
,███     ██████████████████████████    #███
'███    '██████████████████████████    ;███
#███    ███████████████████████████    ,███
████    ███████████████████████████.   .███
████    ███████████████████████████'   .███
+███    ███████████████████████████+   :███
:███    ███████████████████████████'   +███
 ███    ███████████████████████████.   ███#
 ███.   #██████████████████████████    ███,
 ████    █████████████████████████+   `███
 '███    '████████████████████████    ████
  ███;    ███████████████████████     ███;
  ████     #████████████████████     ████ 
   ███#     .██████████████████     `███+ 
   ████`      ;██████████████       ████  
    ████         '███████#.        ████.  
    .████                         █████   
     '████                       █████    
      #████'                    █████     
       +█████`                ██████      
        ,██████:           `███████       
          ████████#;,..:+████████.        
           ,███████████████████+          
             .███████████████;            
                `+███████#,               
IceTurk
Member
**
Offline Offline

Activity: 84


View Profile
November 16, 2014, 04:36:31 PM
 #34

The only major flaw in this forum that I can see is that you are using SMF as your forum software. Can't wait until the new platform arrives.
soowein
Jr. Member
*
Offline Offline

Activity: 42


View Profile
March 25, 2015, 10:40:40 AM
 #35

Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?

Thanks !

[url=https://bitcointalk.org/index.php?
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
May 26, 2015, 01:49:39 AM
 #36

Time for social engineering to be added as a valid attack?
Check-0
Full Member
***
Offline Offline

Activity: 238


View Profile
May 26, 2015, 07:09:36 AM
 #37

Time for social engineering to be added as a valid attack?
to kill all "social engineers" theymos must host forums in his basement
 on dedicated server with fat connectivity.  Cool
Problem solved !

Не искушай меня, ибо необуздан я в желаниях своих...
Хочешь я взорву все звезды и Завтра не наступит никогда..?
macsga
Legendary
*
Offline Offline

Activity: 1442


Strange, yet attractive.


View Profile
May 27, 2015, 07:19:17 AM
 #38

If I may, the main problem with security vulnerabilities is our lack to understand that most of them are based on breaking some very simple rules. For instance, anyone who has the ability to physically access my computer is -in theory- able to retrieve ANY password that I have stored inside my web-browser and/or key-chain. You may be now thinking "oh, this is not possible" but please take some time to use some good UN-delete software together with a web-browser password retriever utility and most probably you will get the job done in less than 10 mins. Brute forcing is another way, but will take more time.

@Theymos:
It's been sometime now that I thought about the possible attacks this (and similar) sites will get within the next BTC bubble. I expect this will get much worse. Restricting user access via Tor blocking (I know this will hurt me as well, because I'm using tor from my work to access the site) will definitely rule out some of the most significant attacks. Cloudflare is also a way, but I'd go for a dedicated person(s) service. You can hire one that you trust, most possible near where you live. This would've been the best case scenario I'd choose, if I were you.

Best of luck sorting this out.

Check-0
Full Member
***
Offline Offline

Activity: 238


View Profile
May 27, 2015, 08:19:21 AM
 #39

of course i was joking about dedicated server in basement.
such setup will have issues with load balancing and speed of connection likely.
also it will be stil centralised service.

If theymos wanna save his income and keep community here,
he should :

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).

iii) never store hashes and IPs in Internet-hosted DB.
     take a look : https://unhosted.org/

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).

iiiii) drop "security question checking" feature for password recovery.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??

At least theymos should go to several federated servers for forums...
I am not sure what is the year right now for theymos and team ?!
Are we really in 2015 ?! Tongue

Не искушай меня, ибо необуздан я в желаниях своих...
Хочешь я взорву все звезды и Завтра не наступит никогда..?
NLNico
Legendary
*
hacker
Online Online

Activity: 1512


DiceSites.com owner


View Profile WWW
May 27, 2015, 08:43:18 AM
 #40

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley
Performance of decentralized forum software at this point will be very shit AFAIK. And usability probably bad too (gotta download client?)

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).
You want people to sign a message with a bitcoin address every time they login?

Seriously, "don't use passwords" is easier said than done. Login with Trezor Connect would be cool though. And 2FA should obv be option.

iii) never store hashes and IPs in Internet-hosted DB.
Not storing IPs def will be bad against spam / trolls / etc.

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).
Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??
Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?



Not disagreeing with all points, but some things are easier said than done Wink

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!