Ice-Dice.com Bug Bounty Program On Testnet Subdomain

[icedicedavid]

Ice-Dice.com understands the important of security and the safety of our customers and investors bitcoins is very important to us. This is why we are launching our bug bounty program and launched our Testnet subdomain http://testnet.ice-dice.com for security researchers to find vulnerabilities.

We ask all security researchers to:

- Do not test on the main site, use http://testnet.ice-dice.com only! If you exploit the main site, you will not be eligible for rewards!
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Making a good faith effort to not leak or destroy any production user data (testnet website is fine)
- Not defrauding Ice-Dice.com users or Ice-Dice.com itself in the process of discovery.
- In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Rewards

The minimum payout is 0.5 bitcoin for reporting a previously unknown security vulnerability of sufficient severity. There is no maximum reward, and we may award higher amounts based on severity or creativity of the vulnerability found.

We also provide attribution as a thank you.

Eligibility

We reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

- XSS
- CSRF
- Authentication bypass or privilege escalation
- Click jacking
- Remote code execution
- Obtaining user information

In general, the following would not meet the threshold for severity:

- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
- Denial of service
- Spamming
- Vulnerabilities in third party applications

To Submit a bug report, please email icedicedavid@gmx.com with the following:

- Description and potential impact
- Steps to reproduce the issue or a proof of concept

Severe Awards
- none yet

Non-Severe Awards (Bugs that will not cause financial loss or data breach)
- Christy Philip Mathew - @christypriory
- Issam Rabhi - @Issam_Rabhi
- Anand M
- Siddhesh Gawde
- Sahil Saif

[ASICSRUS]

what is your offering? I already explained you are skating on very thin ice! I'd appreciate if you payed me out the 1BTC you owe me then we can talk about your status operating like you do.   security?lol google : Apex

[icedicedavid]

Christy Philip Mathew - @christypriory found a non-severe bug that will not cause financial loss or data breach. A smaller reward was given to thank him for his effort.

[icedicedavid]

To the guy with IP: (edit: sorry, shouldn't have posted this) from Chennai, India:

You are flooding the server with the same POST request over and over again. The CSRF protection is automatically blocking your submission and what you are doing won't actually find any bugs. It will just waste bandwidth.

[icedicedavid]

Do not test on the main site, use http://testnet.ice-dice.com only! If you exploit the main site, you will not be eligible for rewards!

[knowitnothing]

To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

[ASICSRUS]

To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

x1O thank you for keeping it real! this guy refuses to even pay me out, I reported ice-dice "bugs" from day one!  
Fvkk you for logging bitcoiners ip addresses ice-dice David!

[ITsTanked]

Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.

[icedicedavid]

To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

You are right, I had a misunderstanding. At the time I thought he was being malicious and what he was doing looked like a DDOS so I posted his IP. It was a mistake I shouldn't have.

Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.

It is on a different server. You are right I had a misunderstanding. I thought he was being malicious.

PS. This ASICSRUS guy is a troll. just look at his post histories. He blackmails and spread rumours about all the casino owners in order to extort for bitcoins.

[ASICSRUS]

To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

You are right, I had a misunderstanding. At the time I thought he was being malicious and what he was doing looked like a DDOS so I posted his IP. It was a mistake I shouldn't have.

Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.

It is on a different server. You are right I had a misunderstanding. I thought he was being malicious.

PS. This ASICSRUS guy is a troll. just look at his post histories. He blackmails and spread rumours about all the casino owners in order to extort for bitcoins.

((((STOP))))

so getting paid out is extortion? bwaahahahaa you must be joking?   are you familiar with the bitcoin foundation? roff!!!







http://www.youtube.com/watch?v=QPENXsJz32I

[ITsTanked]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

[ASICSRUS]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

i can turn OUR site off whenever lol =)

[icedicedavid]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

All IP is open, and VPN should be allowed.

[knowitnothing]

By the way, I noticed the original post is very similar to https://coinbase.com/whitehat (including the mistake of unknown maximum payout, but this one at least has a 10x higher minimum payout). I don't think this is a coincidence, and I know about other sites like facebook.com/whitehat and https://www.google.com/about/appsecurity/reward-program/.

Since there was no effort in writing it, can you please give proper attribution from where you borrowed this text ? Something like, "Like thiothersite/whitehat, we at someservice are launching ..."

[ASICSRUS]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you need me to?  


http://www.youtube.com/watch?v=5_JmXCNPs6Y

[icedicedavid]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  

I wrote you a letter by the way, you might want to take a look:

https://bitcointalk.org/index.php?topic=318830.0

[ASICSRUS]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  

I wrote you a letter by the way, you might want to take a look:

https://bitcointalk.org/index.php?topic=318830.0

(entertainment only type posts you kno/\\/)


Trying to wrap my head around the crimes committed by David Lee.

Here's what I have and would like to know what others think.

Tax fraud - USA Canada United Kingdom Russia
Sales of unregistered securities - USA (SEC civil) United Kingdom
Stock manipulation - USA civil and criminal
Money laundering - USA Canada United Kingdom Russia..whoops EVERYWHERE
being an idiot :   LOL

[ASICSRUS]

Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  

I wrote you a letter by the way, you might want to take a look:

https://bitcointalk.org/index.php?topic=318830.0

I wrote you a post by the way, you might want to take a look:

http://investorshub.advfn.com/boards/read_msg.aspx?message_id=93410746

[icedicedavid]

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

Bug Disclosures:

Christy Philip Mathew found a local XSS bug in the next field entering the name text field. Javascript input was escaped on the server side, but was displayed on the client side in the html without escape, so no code injection could be made other than the attackers own computer.

The following 3 members all reported the same bug about the same time, which is a non severe XSS in the url that could only execute an alert message. document.location and document.cookie could not be executed so we deem this bug to be not severe.
- Issam Rabhi - @Issam_Rabhi
- Anand M
- Siddhesh Gawde

A small bitcoin reward had been sent to all these disclosures as a token of thank you.

[ASICSRUS]

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

Bug Disclosures:

Christy Philip Mathew found a local XSS bug in the next field entering the name text field. Javascript input was escaped on the server side, but was displayed on the client side in the html without escape, so no code injection could be made other than the attackers own computer.

The following 3 members all reported the same bug about the same time, which is a non severe XSS in the url that could only execute an alert message. document.location and document.cookie could not be executed so we deem this bug to be not severe.
- Issam Rabhi - @Issam_Rabhi
- Anand M
- Siddhesh Gawde

A small bitcoin reward had been sent to all these disclosures as a token of thank you.

whatever mate , this is rubbish>> i guess your site will be taken down at any rate! (stay tuned)   LOL




*BTW*>>I'M SELLING MY ICE-DICE INVESTMENT ACCOUNTS 10BTC EACH!!! soon 20BTC IMHO!!!
















http://www.youtube.com/watch?v=ol-gCriUYWI