Author Topic: when you find a security issue better stay away from Bugcrowd  (Read 1146 times)

0 Members and 1 Guest are viewing this topic.

Offline madires

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: de
  • A qualified hobbyist ;)
Bug bounty platforms, like Bugcrowd, are meant to help security researches to report secutity issues and earn a few bucks. But Bugcrowd has changed to a quite disturbing stance: When Soatok Used Bugcrowd and Got Banned for Doing the Right Thing (https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/).
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 3604
  • Country: au
  • Cat video aficionado
Re: when you find a security issue better stay away from Bugcrowd
« Reply #1 on: June 15, 2022, 12:46:08 pm »
Sigh.

The question I have is if this chap found a sec flaw because he happened to be poking around, why didn't anyone else?
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: de
  • A qualified hobbyist ;)
Re: when you find a security issue better stay away from Bugcrowd
« Reply #2 on: June 15, 2022, 01:25:14 pm »
There aren't many security experts with a deep unterstanding of cryptography.
 
The following users thanked this post: wraper

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 3604
  • Country: au
  • Cat video aficionado
Re: when you find a security issue better stay away from Bugcrowd
« Reply #3 on: June 15, 2022, 01:32:30 pm »
There aren't many security experts with a deep understanding of cryptography.

No, I suppose not. Maybe the peeps who don't shouldn't be coding this stuff in the first place. Relying on bounties is a awful way to perfect code.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 5367
  • Country: pl
Re: when you find a security issue better stay away from Bugcrowd
« Reply #4 on: June 15, 2022, 03:52:21 pm »
Quote
After I pointed out that a) a takedown would be pointless due to an archive already existing
AKA how to get banned from an Internet website by having level 1000 autism :-DD
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 4690
  • Country: fi
    • My home page and email address
Re: when you find a security issue better stay away from Bugcrowd
« Reply #5 on: June 15, 2022, 05:27:07 pm »
Quote
After I pointed out that a) a takedown would be pointless due to an archive already existing
AKA how to get banned from an Internet website by having level 1000 autism :-DD
Just FYI, level 1000 autism beats being an asshole, every single time.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 22932
  • Country: gb
Re: when you find a security issue better stay away from Bugcrowd
« Reply #6 on: June 15, 2022, 05:50:00 pm »
There aren't many security experts with a deep unterstanding of cryptography.

From experience there aren’t many security experts out there full stop.

I found a major vulnerability in a very well known security scanning product by pointing it at itself. Instead of getting thanked for the report I got asked to sign an NDA by a lawyer. I declined this and let them fix it at their leisure. It took 7 months.

And that’s as far as any company in the security space is worth be it technical or consultancy.
 
The following users thanked this post: madires, magic

Online magic

  • Super Contributor
  • ***
  • Posts: 5367
  • Country: pl
Re: when you find a security issue better stay away from Bugcrowd
« Reply #7 on: June 16, 2022, 08:16:14 am »
Just FYI, level 1000 autism beats being an asshole, every single time.
Quite the opposite, because outcomes are the same either way, but the former at least has a choice :P


At any rate, a quick rundown of what happened:

1. Through Bugcrowd, Comcast advertises to pay for exploitable vulnerabilities in some 3rd party software they use.
2. Soatok finds a potentially exploitable bug in that software and reports it to Bugcrowd.
3. After initial hurdles due to lack of a working exploit demo, they forward the matter to Comcast.
4. Due to lack of a working exploit, Comcast can't decide if it's a real problem, asks to reach out to the original author.
5. Instead of seeking private contact with the author, dude files a public bug report on G**Hub :palm:
6. Bugcrowd learns about it, claims it's against their ToS and threatens to ban him if the bug report isn't taken down.
7. Full nuclear meltdown nerd rage mode activated:
- OMG it's emotional blackmail, you can't threaten to ban me like that, I'm not giving in to bullying
- tough luck motherfuckers, I'm privileged enough that I don't actually need your stupid account anyway
- for those with less privilege, I'm taking a principled stand - ban me if you dare!
- have you never heard of Streisand effect???!!! Here's an archive of the bug report (did the guy actually create it himself? :palm:)

Who is the asshole here? :-//
 

Offline wraper

  • Supporter
  • ****
  • Posts: 15248
  • Country: lv
Re: when you find a security issue better stay away from Bugcrowd
« Reply #8 on: June 16, 2022, 08:27:29 am »
Here's an archive of the bug report (did the guy actually create it himself? :palm:)
It shows snapshot was made 2 minutes after posting. So certainly way before Bugcrowd had any chance to complain.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 5367
  • Country: pl
Re: when you find a security issue better stay away from Bugcrowd
« Reply #9 on: June 16, 2022, 08:42:29 am »
LMAO, you are right.

It looks like his whole purpose in publishing this bug was to stir up a shitstorm and get an opportunity to write an angry blog post complaining about their demands for working exploits.
 :-DD
 
The following users thanked this post: bd139

Offline wraper

  • Supporter
  • ****
  • Posts: 15248
  • Country: lv
Re: when you find a security issue better stay away from Bugcrowd
« Reply #10 on: June 16, 2022, 08:42:48 am »
5. Instead of seeking private contact with the author, dude files a public bug report on G**Hub :palm:
6. Bugcrowd learns about it, claims it's against their ToS and threatens to ban him if the bug report isn't taken down.
Quote
Since we don’t author or maintain this code, we do not have any authority to grant a disclosure request. However you might be able to engage with them on the repository
AFAIK there is no way to privately contact maintainer on Github. So them suggesting this meant doing so in public.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 5367
  • Country: pl
Re: when you find a security issue better stay away from Bugcrowd
« Reply #11 on: June 16, 2022, 08:48:24 am »
Every git commit contains the name and email address of the author.
99% of serious projects fill these fields correctly and I just checked that JSBN is no exception.

There is also a link to the maintainer's personal page on his GH profile.

It took me less than 5 minutes from reading your post to having Andy's personal email address.
 

Offline wraper

  • Supporter
  • ****
  • Posts: 15248
  • Country: lv
Re: when you find a security issue better stay away from Bugcrowd
« Reply #12 on: June 16, 2022, 08:50:30 am »
Every git commit contains the name and email address of the author.
99% of serious projects fill these fields correctly and I just checked that JSBN is no exception.

There is also a link to the author's personal page on his GH profile.

It took me less than 5 minutes from reading your post to having Andy's personal email address.
Yes you could find an email. But it would not be engaging on repository. So would be doing not what they suggested.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 5367
  • Country: pl
Re: when you find a security issue better stay away from Bugcrowd
« Reply #13 on: June 16, 2022, 08:53:56 am »
Yes, retarded corporate droids asked him to do a retarded thing and he did the retarded thing and other retarded corporate droids couldn't believe that the former retarded droids are that retarded so they banned him.

Everybody involved got what they deserved, including other "innocent" users who rely on JavaScript software for anything important.
 
The following users thanked this post: bd139

Offline wraper

  • Supporter
  • ****
  • Posts: 15248
  • Country: lv
Re: when you find a security issue better stay away from Bugcrowd
« Reply #14 on: June 16, 2022, 09:09:32 am »
I would not say it was THAT retarded. It was not some bug which could be readily exploited. It was a flaw in algorithm which would need some serious work to make any use of.  Nor it was revealed to the public immediately without notifying maintainer:
https://github.com/andyperlitch/jsbn/issues/43
Quote
...
2022-04-10: Bugcrowd employee agrees to check with the team and update the ticket.
2022-05-06: Comcast PSIRT says they've informed Andy of the details.
2022-06-14: Comcast PSIRT says they still haven't heard back from Andy, and denied my disclosure request.

Since we don't author or maintain this code, we do not have any authority to grant a disclosure request. However you might be able to engage with them on the repository, or develope a further PoC that would enable validation of your claims.
2022-06-14: Immediate public disclosure on GitHub issue tracker.
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 4690
  • Country: fi
    • My home page and email address
Re: when you find a security issue better stay away from Bugcrowd
« Reply #15 on: June 16, 2022, 11:08:42 am »
Just FYI, level 1000 autism beats being an asshole, every single time.
Quite the opposite, because outcomes are the same either way, but the former at least has a choice :P

You misunderstand.  Those with autism make for damn good auditors, bug checkers, and so on.  In this story, nobody has autism, even if you claimed so.

Who is the asshole here? :-//
Several of them for sure, but none with autism I can see.

(No, I don't have autism myself, just poor social skills.  But I'll take poor social skills or even autism, over being an asshole, every day.  Even those with hygiene issues can be trained; assholes cannot.)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf

 



Advertise on the EEVblog Forum