Bitcoin Forum
November 15, 2024, 06:39:44 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5]  All
  Print  
Author Topic: Security bounties  (Read 166949 times)
fronti
Legendary
*
Offline Offline

Activity: 2912
Merit: 1309



View Profile
July 30, 2021, 09:01:50 AM
 #81

Maybe i missed it but why the bounties are in US$ and not in XAU anymore?




If you like to give me a tip:  bc1q8ht32j5hj42us5qfptvu08ug9zeqgvxuhwznzk

"Bankraub ist eine Unternehmung von Dilettanten. Wahre Profis gründen eine Bank." Bertolt Brecht
icopress
Legendary
*
Offline Offline

Activity: 1806
Merit: 9225


light_warrior ... 🕯️


View Profile
August 04, 2021, 11:54:32 AM
 #82

Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.



In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Xal0lex
Staff
Legendary
*
Offline Offline

Activity: 2646
Merit: 2619



View Profile WWW
August 04, 2021, 04:16:22 PM
 #83

I found several dozen topics only in the Meta about this  Wink

1337
Posts: "leet"? What???
Post Count : leet
What is "leet"? In my profile
Did I just found the easter egg of the forum??

etc.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
GazetaBitcoin
Legendary
*
pizza
Offline Offline

Activity: 1890
Merit: 7476


Fully-fledged Merit Cycler|Spambuster'23|Pie Baker


View Profile
August 12, 2021, 02:08:26 PM
Merited by icopress (1), PowerGlove (1)
 #84

Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.

As Xal0lex provided some examples, yes, there is no problem with the "leet" you saw at the profile, icopress. In case there is still any misunderstanding, this is a sort of easter egg, a perk, which appears only once in your posting history, once you reach 1337 posts. In Internet slang, the number 1337 is sometimes spelled as leet or l33t. This number / word is used instead of elite. So when someone tries to say s/he is part of the elite, in Internet slang s/he can write as leet, l33t or 1337.

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg. However, the "leet" is not displayed with other occasions - such as when reaching 1337 merits, so it is only once in your life when you see it in your posting history. I am glad you took a screenshot of the moment Smiley

All in all, it's supposed to be something funny. Similar to the pic below:





█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
actmyname
Copper Member
Legendary
*
Offline Offline

Activity: 2562
Merit: 2510


Spear the bees


View Profile WWW
August 17, 2021, 09:35:22 AM
Merited by PowerGlove (1)
 #85

only once in your posting history, once you reach 1337 posts.
Unless you delete your posts after the fact Wink

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg.
IIRC this is just a native SMF easter egg: simply part of the toolkit. It just wasn't removed like a few of the other things as it has no significant impact.

n0nce
Hero Member
*****
Offline Offline

Activity: 896
Merit: 5918


not your keys, not your coins!


View Profile WWW
September 04, 2021, 10:45:11 PM
 #86

I'm not sure how building forums with software like SMF works, but if BitcoinTalk is 'just' a specific configuration of SMF 1.1.19, are we essentially looking for bugs in SMF 1.1.19?
Or was SMF 1.1.19 modified in some way or another?

I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1666
Merit: 1901

Amazon Prime Member #7


View Profile
September 05, 2021, 07:28:08 AM
Merited by vapourminer (1)
 #87

Or was SMF 1.1.19 modified in some way or another?
There are several features added to the SMF 1.1.19 codebase, and I don't believe the code for these features is public. Some of the modifications to SMF 1.1.19 may have been to close security holes/issues.

While following the terms in the OP (which primarily consist of the requirement that PenTesters not cause disruption to the forum, and not access 3rd party data, you can find security weaknesses in the forum software, and collect the respective bounties.
SickDayIn
Member
**
Offline Offline

Activity: 210
Merit: 31


View Profile
April 03, 2024, 05:53:47 AM
Merited by LoyceV (2), vapourminer (1)
 #88

I have a few questions related to performing security testing on this site, particularly as I don't want to get my current account banned by accident.

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13420


View Profile
April 08, 2024, 08:07:00 PM
Merited by Xal0lex (3), EFS (2), LoyceV (2), vapourminer (1)
 #89

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?

No.

2) Is it acceptable to use newly created / generic sock puppet accounts for testing?

Yes.

3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)

Probably only for the listed security bounties.

4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?

IPs are only banned for making too many requests, not for suspicious behavior. So just don't make more than one request per second.

A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
SickDayIn
Member
**
Offline Offline

Activity: 210
Merit: 31


View Profile
April 16, 2024, 02:31:59 PM
 #90

A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

Thank for your answers to my questions. The intention isn't to simply run Burp Suite Active Scan++ and then send a list of boring TLS/SSL cipher and protocol recommendations. It's really only worth raising findings that have a material impact or risk. I will poke my nose around and see if I find anything.
krishnaverma
Full Member
***
hacker
Offline Offline

Activity: 1442
Merit: 108


View Profile
June 06, 2024, 01:20:09 PM
 #91

For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?


Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13420


View Profile
June 06, 2024, 02:18:45 PM
 #92

Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?

That's not valid at all.

For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?

For other data, it will not be considered as part of that bounty, but I may award some amount, depending on the details.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
margmer
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
October 29, 2024, 11:35:42 AM
 #93

Regarding your question about the bug category, it seems like the focus is primarily on accessing sensitive user information without their interaction or consent. If any additional details about users are revealed in a similar manner—like viewing private messages or account settings—those would likely also fall under this category, especially if they compromise user privacy or security.

As for associating an email with a username, if you find a method that allows you to easily correlate the two without proper authorization, it's worth reporting. Even if it's not a direct breach of sensitive information like passwords or email addresses, it could still pose a risk to user privacy. It's always better to err on the side of caution and inform the relevant parties about potential vulnerabilities.
Pages: « 1 2 3 4 [5]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!