What kind of vulnerability security bounty hunter got $19 000?
https://bitcointalk.org/sbounties.phpWhen I look at the meta board, there are a lot of threads want to recovery hacked account, this means lots of hackers with technical skill hanging out here. What does he get? , nothing, just an account with tagged
hacked which can't do anything here.
Hackers can get more than that.
- $50 000: If you can access any user's PMs arbitrarily, without any interaction from the user, and without any secret data such as user passwords.
- $20 000: If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords. If you already have an email address, matching it to a user is not a bug.
- $10 000: If you can make undetectable edits to arbitrary posts or PMs. Compromising a moderator account doesn't count.
- $2 000: If you can send a user a link, and if they click on it then you will be able to gain access to their account automatically, without any further action from them aside from just visiting one link. Phishing sites don't count; it has to be some sort of CSRF-type attack. You can't assume that you have any secret data about the user such as their session cookie.
- $2 000: If a regular user without any special permissions can persistently inject JavaScript into a page. If you need a more privileged user, the award amount is halved, and there is no award if you need an administrator account.
- $1 000: If you can move or delete a post that you are not supposed to be able to.
but don't forget
You must not publish it elsewhere or share it with anyone else.
even on meta though
good luck
