Security bounties

[fronti]

Maybe i missed it but why the bounties are in US$ and not in XAU anymore?

[icopress]

Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.



In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.

[Xal0lex]

I found several dozen topics only in the Meta about this 

1337
Posts: "leet"? What???
Post Count : leet
What is "leet"? In my profile
Did I just found the easter egg of the forum??

etc.

[GazetaBitcoin]

Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.

As Xal0lex provided some examples, yes, there is no problem with the "leet" you saw at the profile, icopress. In case there is still any misunderstanding, this is a sort of easter egg, a perk, which appears only once in your posting history, once you reach 1337 posts. In Internet slang, the number 1337 is sometimes spelled as leet or l33t. This number / word is used instead of elite. So when someone tries to say s/he is part of the elite, in Internet slang s/he can write as leet, l33t or 1337.

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg. However, the "leet" is not displayed with other occasions - such as when reaching 1337 merits, so it is only once in your life when you see it in your posting history. I am glad you took a screenshot of the moment

All in all, it's supposed to be something funny. Similar to the pic below:

[actmyname]

only once in your posting history, once you reach 1337 posts.

Unless you delete your posts after the fact

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg.

IIRC this is just a native SMF easter egg: simply part of the toolkit. It just wasn't removed like a few of the other things as it has no significant impact.

[n0nce]

I'm not sure how building forums with software like SMF works, but if BitcoinTalk is 'just' a specific configuration of SMF 1.1.19, are we essentially looking for bugs in SMF 1.1.19?
Or was SMF 1.1.19 modified in some way or another?

I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.

[PrimeNumber7]

Or was SMF 1.1.19 modified in some way or another?

There are several features added to the SMF 1.1.19 codebase, and I don't believe the code for these features is public. Some of the modifications to SMF 1.1.19 may have been to close security holes/issues.

While following the terms in the OP (which primarily consist of the requirement that PenTesters not cause disruption to the forum, and not access 3rd party data, you can find security weaknesses in the forum software, and collect the respective bounties.

[SickDayIn]

I have a few questions related to performing security testing on this site, particularly as I don't want to get my current account banned by accident.

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?

[theymos]

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?

No.

2) Is it acceptable to use newly created / generic sock puppet accounts for testing?

Yes.

3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)

Probably only for the listed security bounties.

4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?

IPs are only banned for making too many requests, not for suspicious behavior. So just don't make more than one request per second.
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

[SickDayIn]

A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

Thank for your answers to my questions. The intention isn't to simply run Burp Suite Active Scan++ and then send a list of boring TLS/SSL cipher and protocol recommendations. It's really only worth raising findings that have a material impact or risk. I will poke my nose around and see if I find anything.

[krishnaverma]

For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?


Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?

[theymos]

Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?

That's not valid at all.

For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?

For other data, it will not be considered as part of that bounty, but I may award some amount, depending on the details.

[margmer]

Regarding your question about the bug category, it seems like the focus is primarily on accessing sensitive user information without their interaction or consent. If any additional details about users are revealed in a similar manner—like viewing private messages or account settings—those would likely also fall under this category, especially if they compromise user privacy or security.

As for associating an email with a username, if you find a method that allows you to easily correlate the two without proper authorization, it's worth reporting. Even if it's not a direct breach of sensitive information like passwords or email addresses, it could still pose a risk to user privacy. It's always better to err on the side of caution and inform the relevant parties about potential vulnerabilities.