Security bounties

[Globb0]

Oh look 2 post copying robots in a row

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

[krishnaverma]

Admin, I have a question regarding this :  1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.

If I am able to confirm the email from different possible email id for an account , is it acceptable ? Like confirming the email id of DefaultTrust from among possible 100 mail ids.

[theymos]

Admin, I have a question regarding this :  1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.

If I am able to confirm the email from different possible email id for an account , is it acceptable ? Like confirming the email id of DefaultTrust from among possible 100 mail ids.

No, if you have someone's email address then there are several known ways of finding their username. I don't consider this a bug.

[STSToken]

Is there any plans to increase the bounty awards?

[ridertiger]

https://bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?

[simonova]

Is there any plans to increase the bounty awards?

Will you submit the bug only if the bounty reward is increased ?  Share with the admin and he will compensate accordingly. Also, the current rewards are very much in accordance with standard payouts given by reputed websites. The admin mentioned this somewhere in this thread.

[arhipova]

Bullshit offer.
If you are sincere in solving any security breach, you should seek paid professionals.

All big companies like FB, Google take the same route even after they have paid professionals hired full time for this work. Users can be the best judge especially for new features.

[krishnaverma]

https://bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?

There are setting in different browsers to block certain websites completely.

You will have to follow tutorial online for the specific browser you are using.

If by doing sometime about it, you meant that you would like to get that website down, that is a very long route.

[yakovs]

If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?

Just yours so far. (A CSRF.)

And what about current stats ?

[theymos]

And what about current stats ?

Doing a quick count, it looks like a total of about 11.4 XAU has been paid in security bounties since inception.

[Mpamaegbu]

https:// bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?

If you feel that truly that site is a phishing one why not deactivate the link so no one mistakenly falls prey to it. But I seem not to see anything different from that site as it is the same with our BTT in spelling and all that.

[cescudero95]

And what about current stats ?

Doing a quick count, it looks like a total of about 11.4 XAU has been paid in security bounties since inception.

Sorry, but what is XAU exactly?

[theymos]

Sorry, but what is XAU exactly?

Troy ounces of gold.

[STT]

I will speak to someone next week who does this vulnerability testing professionally.   Maybe he will tip me if he has a trick from work and manages to do anything :p

Is there any plans to increase the bounty awards?

They increase every day so long as the gold price does

Sorry, but what is XAU exactly?

https://www.xe.com/currencycharts/?from=XAU&to=USD&view=10Y

XAG is silver

https://www.xe.com/iso4217.php#X

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

The forum is internationally based could be one point but mostly I think of Dollar as the pre nixon standard of being fixed to gold hence its always reasonable to offer gold long term especially to an international audience.   If I have no liabilities in dollars then the gold could be preferable, dollars do depreciate over time and this topic is years old.   Honestly everyone should keep a little gold, maybe I'm biased or maybe people forgot +10% interest rates, etc. I havent.

[Security Engineer]

Hello theymos.

I quote here two post regarding BitcoinTalk's security and I hope you will do what I recommended.

@theymos If I'm you I would remove Google reCaptcha before a DoS hits your main server! The sitekey my boy, the sitekey... I also did some research around the SSL certificates you got from Sectigo... Later I will contact you when I decided what to do with all this.

You don't want to keep that Google reCaptcha there mainly not only because I was able to indentify your server behind cloud but you don't need that at all! Before the cloud it was useful but now you can use just one captcha... better for you.

Quick tips for mitigation: Remove Google reCaptcha and implement Argo Tunnel

administrator of this forum without any knowledge of programming. I have read his post from the very first one and nothing indicates he had any knowledge of programming.

Bitcointalk are Big forum have over 2.6 Million member need knowledge of management. And not necesarry know about programing.
Manager can recruit people who have knowledge about it.

That is correct DroomieChikito! 

If @theymos do what I recommended to him here: https://bitcointalk.org/index.php?topic=5179950.msg52306296#msg52306296 and in PM than he never again would need to even think about that something bad happens to the server(s) of BitcoinTalk. In the current state BitcoinTalk is vulnerable. If he does what I recommended it will mitigate all types of attacks once and forever.

This topic will loose it relevance immediately: https://bitcointalk.org/index.php?topic=309785.msg3326091#msg3326091 meaning that no more bounty. Some regarding the forum and email can be still ongoing but he would need to rewrite the entire post.

Cheers!


I can't reply to your PM theymos I'm to new here... 
I got your PGP key. I will send you what you asked. Right now I'm busy with something else. I can assure you soon you will get the response in PM or in an encrypted email.

Is this yours?

Code:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQMuBExwwKsRCADZL8C3DWzSohJv6qcrZ2r0jdhY/BhUKzs8utbpa+wbPrBztNCN
9Gxu+6PUiFVuEhpdXpCKGy2sf+CyzOTdGYJtlIykH6jdEW/PLyW5a23SKZEHvI4S
RNWZCPF9kqujRHb++mrf6t6ehiMUkFcn0aQOYMMrk/pVrdx3LmmUSgsvOvCRRWS3
vo1uNJdlnqOA7pc6sgOs7bZI32zVk4p+1QVgZ6gKAOx2ga8IBILs3KMzt72WFdF1
1W0k92T/xQ+FHf0O9nMdeN/qKRBSZn1CMoJgaG23Kj8O3K3AwEgijBD60ByvIHOL
7WjFJ8IVA/obhn/Xoa1ZD91rDYvH/18kldVXAQDTdgjwDHNd4AItspbLTMvtovK8
RxWvNiHy7nE6j/BmlQgAl02c0soZXL2VhGw0gX+gIUZY3jD2pWQSFqdUb+dXNqVI
ISjINPqD35xm7Hll4B5CSlsjz5j+gJc8xrfWw1YAjK6SJxhQcevI+wbXBqfX3pYj
MYeOgszkSHAcs5EsW03EdYQ9SlrFk+5+4hsUBp86hEb3xaqkj3a2X3cO1J3erZ2R
ScFayjr7aTCuSmdguCsslSSyn/xW+N7f0s/C4JPgnVznfw1/BpNm7gFTfKidGmlx
ib4JtrxlwuYwNRbEFsynFHA+hjHa+NyJBHdf+MUyTQ/bzpiEhxL9QXKRDBTAGVMx
f44qR07JtFfZjogEXSWt1NP2fJhMsqWyFHJq7n7Kegf+NMPvIOiVJiAKjEQ5j2+6
X+DbBcjRgKr0vNdYeP7dnGK47LPRfX3EE+dTQerawlWunPoHBRkRmDShjxxwlV1F
eTf+buj5yFCBPNCAxKsnXi1EN78iPNkTbnWgKutTDup/fKY+1MZbK/FiymMvHes0
77n0HvzVrQIRaqmk6/jPC6o8f7IuZzpmYFnyUha2v0kdX0VcJATV/AzcIIVFJc5X
YLdcpRxW7qxIvOAJqpHvxl7Gdj7oYBwvnbnU/2Hl3HWh9Lo4AjfD+KpfT/F+iMiK
A4k5geMKtdJk+BLVZYos4qCAZX6VXraTDP2lVWXYzWGP9HKuos19H4V/y/LgJGFe
pbQnTWljaGFlbCBNYXJxdWFyZHQgPG1pY2hhZWxfbStwZ3BAbW0uc3Q+iIAEExEI
ACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgKCQsDBRYDAgEAAAoJEMZV
VpPatZHnOagBALomn7hramaFsh4W/UfP7dUIXE9BMzgGzHM5rxIkmkSHAP0SAFRV
PBjl2xMYWJWIFnzVMX6odojMv6hneChqjhCTCLQbdGhleW1vcyA8dGhleW1vcytw
Z3BAbW0uc3Q+iIAEExEIACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgK
CQsDBRYDAgEAAAoJEMZVVpPatZHn4isBAKTwaR9MGR6lKAdS74C+8fgDalbEf4uh
6/mAVFhQYp+GAP9quUjlRyr/po10gTEKStoXOAZ9sRhrb3TlxDRf8C1BWrkCDQRW
DgiMEAgAvWIlg2CjBwhtmMgy+RoS6/HeevH0Qnz3PntfWsTqZuw4kNcu/Xk6HCmY
clN/Lqy8nn/FTaplKTAJS14J20F16nCv5fpzJKB/5i8HLpNz16xpSSPErn1whsKV
/wFCheQ/oFGcJFZvcmauB6iJ3XBvJbAQqF7+mH2ijAHVnwb7V7ANlWyqjbYxPoyb
ro69HUoRojh5MTNv/xGLIajjNH8Ckp9J2XUCWtavj4xJEIoWB3i3C/A0NVQuPGS5
1MqvhWaRvbVlrdhqAuNN1culvZpSLu1y+2vLiyLolLn70viuyH/ouoV/NRo4yFpP
yA1PXDxk+51petVxXPXbVdqvun9Y0wADBQgAmKTl1iwmUr5ncMIc13Bkj5nzF+w8
11OPZ3P98J7Cos0cIXpqLf8FgDr0xU2oPoq33i59xK0SIrj1TqjiSWC4S5YkJNEm
/hgyb+UOk2D2Xm0SKr+2BDMSREEsLhYO1vSi1O0ND1g2QgoQNQ91aMVZ92IX4V8h
++/8smxxcjLkCRc9YrzsRLeuP3PE489n8MzdYbui7vU+RJhKL7mlKKWDKxko3sVH
kmy3CBjjyp04KNAGJwpQzY8G3XmK9eRSypc71ST0ziJxFk5+DPEM8IPZGbHvCS0k
a2yf8Gp5oaCDkSKxNoAnMKcM7fTkFuekAvRKBGB/u+71anvpRCxKslc1gYh+BBgR
CAAmAhsMFiEEXms/O6lhGTxcm0Q1xlVWk9q1kecFAl1bRX0FCQzw13EACgkQxlVW
k9q1kedNhgD+Pp0ZBMuN9VUtzuIsS9gp0DiMmehOdCV99SifqH0phWEBAISGZ6Zl
bY8GhzbuuorCW/UUPHDODxiuBvHI9+/qFjDx
=39Rd
-----END PGP PUBLIC KEY BLOCK-----

[fokinlipat]

Is only bitcointalk.org domain considered for this or any other also ?

[JeromeTash]

Is only bitcointalk.org domain considered for this or any other also ?

Like it is said in the OP. The security bounties are exclusively for the forum (bitcointalk.org). Why would admin create security bounties for other domains that the forum is not affiliated with?

The forum is offering bounties for security vulnerabilities.

[alpha_wisdom]

You should put this bounty into SMF Forum's core also.

[Rokon5]

This is probably the highest security bounty of any forum.I am new here but I know it's security is high for this reason I love bounties.Any one can invest here and can growing their trade because It has good security.

[bL4nkcode]

Any one can invest here and can growing their trade because It has good security.

All investments posted here are actually held on other websites, what bitcointalk can only offer is safety and secured forum due to previous hacks/attacks that leaks user's privacy including emails, phone number, locations posted on pm when dealing someone.