when you find a security issue better stay away from Bugcrowd

[madires]

Bug bounty platforms, like Bugcrowd, are meant to help security researches to report secutity issues and earn a few bucks. But Bugcrowd has changed to a quite disturbing stance: When Soatok Used Bugcrowd and Got Banned for Doing the Right Thing (https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/).

[Ed.Kloonk]

Sigh.

The question I have is if this chap found a sec flaw because he happened to be poking around, why didn't anyone else?

[madires]

There aren't many security experts with a deep unterstanding of cryptography.

[Ed.Kloonk]

There aren't many security experts with a deep understanding of cryptography.

No, I suppose not. Maybe the peeps who don't shouldn't be coding this stuff in the first place. Relying on bounties is a awful way to perfect code.

[magic]

After I pointed out that a) a takedown would be pointless due to an archive already existing

AKA how to get banned from an Internet website by having level 1000 autism

[Nominal Animal]

After I pointed out that a) a takedown would be pointless due to an archive already existing

AKA how to get banned from an Internet website by having level 1000 autism

Just FYI, level 1000 autism beats being an asshole, every single time.

[bd139]

There aren't many security experts with a deep unterstanding of cryptography.

From experience there aren’t many security experts out there full stop.

I found a major vulnerability in a very well known security scanning product by pointing it at itself. Instead of getting thanked for the report I got asked to sign an NDA by a lawyer. I declined this and let them fix it at their leisure. It took 7 months.

And that’s as far as any company in the security space is worth be it technical or consultancy.

[magic]

Just FYI, level 1000 autism beats being an asshole, every single time.

Quite the opposite, because outcomes are the same either way, but the former at least has a choice


At any rate, a quick rundown of what happened:

1. Through Bugcrowd, Comcast advertises to pay for exploitable vulnerabilities in some 3rd party software they use.
2. Soatok finds a potentially exploitable bug in that software and reports it to Bugcrowd.
3. After initial hurdles due to lack of a working exploit demo, they forward the matter to Comcast.
4. Due to lack of a working exploit, Comcast can't decide if it's a real problem, asks to reach out to the original author.
5. Instead of seeking private contact with the author, dude files a public bug report on G**Hub
6. Bugcrowd learns about it, claims it's against their ToS and threatens to ban him if the bug report isn't taken down.
7. Full nuclear meltdown nerd rage mode activated:
- OMG it's emotional blackmail, you can't threaten to ban me like that, I'm not giving in to bullying
- tough luck motherfuckers, I'm privileged enough that I don't actually need your stupid account anyway
- for those with less privilege, I'm taking a principled stand - ban me if you dare!
- have you never heard of Streisand effect???!!! Here's an archive of the bug report (did the guy actually create it himself? )

Who is the asshole here?

[wraper]

Here's an archive of the bug report (did the guy actually create it himself? )

It shows snapshot was made 2 minutes after posting. So certainly way before Bugcrowd had any chance to complain.

[magic]

LMAO, you are right.

It looks like his whole purpose in publishing this bug was to stir up a shitstorm and get an opportunity to write an angry blog post complaining about their demands for working exploits.
 

[wraper]

5. Instead of seeking private contact with the author, dude files a public bug report on G**Hub
6. Bugcrowd learns about it, claims it's against their ToS and threatens to ban him if the bug report isn't taken down.

Since we don’t author or maintain this code, we do not have any authority to grant a disclosure request. However you might be able to engage with them on the repository

AFAIK there is no way to privately contact maintainer on Github. So them suggesting this meant doing so in public.

[magic]

Every git commit contains the name and email address of the author.
99% of serious projects fill these fields correctly and I just checked that JSBN is no exception.

There is also a link to the maintainer's personal page on his GH profile.

It took me less than 5 minutes from reading your post to having Andy's personal email address.

[wraper]

Every git commit contains the name and email address of the author.
99% of serious projects fill these fields correctly and I just checked that JSBN is no exception.

There is also a link to the author's personal page on his GH profile.

It took me less than 5 minutes from reading your post to having Andy's personal email address.

Yes you could find an email. But it would not be engaging on repository. So would be doing not what they suggested.

[magic]

Yes, retarded corporate droids asked him to do a retarded thing and he did the retarded thing and other retarded corporate droids couldn't believe that the former retarded droids are that retarded so they banned him.

Everybody involved got what they deserved, including other "innocent" users who rely on JavaScript software for anything important.

[wraper]

I would not say it was THAT retarded. It was not some bug which could be readily exploited. It was a flaw in algorithm which would need some serious work to make any use of.  Nor it was revealed to the public immediately without notifying maintainer:
https://github.com/andyperlitch/jsbn/issues/43

...
2022-04-10: Bugcrowd employee agrees to check with the team and update the ticket.
2022-05-06: Comcast PSIRT says they've informed Andy of the details.
2022-06-14: Comcast PSIRT says they still haven't heard back from Andy, and denied my disclosure request.
Since we don't author or maintain this code, we do not have any authority to grant a disclosure request. However you might be able to engage with them on the repository, or develope a further PoC that would enable validation of your claims.
2022-06-14: Immediate public disclosure on GitHub issue tracker.

[Nominal Animal]

Just FYI, level 1000 autism beats being an asshole, every single time.

Quite the opposite, because outcomes are the same either way, but the former at least has a choice

You misunderstand.  Those with autism make for damn good auditors, bug checkers, and so on.  In this story, nobody has autism, even if you claimed so.

Who is the asshole here?

Several of them for sure, but none with autism I can see.

(No, I don't have autism myself, just poor social skills.  But I'll take poor social skills or even autism, over being an asshole, every day.  Even those with hygiene issues can be trained; assholes cannot.)