Re: Open Bug Bounty?

[Jim Cheetham <jim.cheetham () OTAGO AC NZ>]

Despite Julio's warnings regarding 'cold call' vulnerabilities (which I agree is often a real problem), 
openbugbounty.org (formerly xssposed.org) seems to be a reasonably reputable free service to allow people finding a 
fault to report it through a common managed process. There is no money involved.

The researcher (who in practice probably just runs standard assessment tools against their targets) finds a 
vulnerability and proves it in a non-destructive way (generally popping up an alert window). They report the 
vulnerability to openbugbounty.org, who verify it and then try to contact the responsible domain owner's security 
contacts, but don't include technical details.

At this initial stage the website is listed, but the precise vulnerability is not exposed.

The domain owner then gets the chance to talk directly to the researcher, who is likely to be motivated to answer, 
otherwise they wouldn't have reported it in the first place. Once the vulnerability is verified, the owner should then 
fix it. Once the researcher sees that the fix has been put in place, they update openbugbounty.org who then changes the 
status, and IIRC publishes the original vulnerability.

Ideally the domain owner provides feedback that increases the reputation of the researcher on the site.

If the domain owner does not respond, the bug details will eventually be released anyway. This seems to be common 
practice in the security industry - make a private report, but if it is not addressed, make the details public. Google 
do it, via their http://googleprojectzero.blogspot.com/

Here's the public record of the one contact we've had with this service:
https://www.openbugbounty.org/incidents/140596/
and the feedback we posted
https://www.openbugbounty.org/researchers/sinkmanu/

So we've had a positive experience, where the public description of openbugbounty.org does match their actual observed 
behaviour.

Shane, I recommend that you contact the researcher to see what they say, and assume it's a real valid contact. There 
seem to be a handful of results for your domain in there at the moment.

-jim

Quoting Jimenez, Julio (2016-06-28 07:45:17)
> Shane,
>
> If the bug bounty notice you received contains real vulnerabilities and you didn't request it, then that's not cool.  
> Similar to a "cold call" from a vendor, this is like a cold-scan or a cold-pentest on your sites.  A lawsuit and/or 
> criminal case waiting to happen.
>
> The bug bounties I've participated in have very specific parameters by the company on what and how you can pentest.  
> These are normally conducted via third-party sites like Bug Crowd and H4ckerOne.
>
> Julio Jimenez
> Information Security Engineer
> ITTS
> Fayetteville State University
>
>
> Sent from Outlook<https://aka.ms/qtex0l>
>
>
>
>
> On Mon, Jun 27, 2016 at 3:29 PM -0400, "Shane E Williams" <shane.williams () UTEXAS EDU<mailto:shane.williams () 
> UTEXAS EDU>> wrote:
>
> We received a notice from Open Bug Bounty (openbugbounty.org<http://openbugbounty.org>) recently, and I notice that 
> many of the latest submissions listed on their pages are educational institutions.  Does anyone have experience with 
> and/or opinions about this program?
>
> In many ways, I think what they're doing might be a good thing, but I have no information or experience with which to 
> make a trust assessment.  And I can't help but be struck by how similar it feels to the old "someone you know has 
> shared an opinion about you, sign up to find out more" websites/spam.
>
> --
> Shane Williams
> Senior System Administrator
> Dept. of Computer Science, University of Texas at Austin
> shanew () cs utexas edu<mailto:shanew () cs utexas edu> - 512-471-0026


--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham () otago ac nz    ☏ +64 3 470 4670    ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

Attachment: signature.asc
Description: signature