Topic: Blockchain.com & HackerOne.com didn't pay a major bug bounty & fixed bug. - page 3. (Read 982 times)

Blockchain.com customer support email this morning.  In the previous email, I let them know HackerOne said this was how the feature intended to function & I also included a link to this thread.



I went ahead and sent Marco Santori a link to this thread on his personal website.  If I was the President of an exchange I would want to know about this. Plus I noticed a typo on Mr. Santori's website, so I figured I'd get two birds stoned at once.




Super annoying.  O well, life's annoying!  I've got faith in Blockchain.com.

That's annoying.  Obviously you should get something.  Not even a thank you is basically a middle finger.

I always assumed these bug bounty sites were given some sort of retainer or billed the actual site with the bug for any bounties they paid.

This makes me think maybe they just charge a flat rate or something for their 'service', maybe package it with a security audit.

If a bug bounty site has a financial incentive to not pay out bounties, like in the example above, they're actually doing a disservice to the sites being tested, the sites users, and the bug reporters.  That's fucked up.

(original post, heavily updated and semi confusing... please reference powerpoint in the OP, thank you.)

*I give my full permission for anyone to use any text or any images from this thread.*

I signed up for an account on Blockchain.com's new "military-grade" exchange called "The Pit".

I noticed right off the bat that I was able to get their exchange to show my 2fa backup codes without prompting me for my 2fa code. (I only needed to enter my password)

I emailed Blockchain.com's support and reported the problem.  Blockchain.com's support told me to open a "HackerOne" bug bounty report if I wanted to get paid.... I figured, "Why not?  I could use the money to test their site further / link my bank account with a wire!"  (I should have fucking known better and just been OK without getting compensated, but I was worried Blockchain.com's customer support person wouldn't forward on the problem if I didn't open a HackerOne ticket and I didn't want some poor Blockchain.com customer to get pwned because of Blockchain's critically flawed security design.)


(you can see I'm sketched out about this "HackerOne" stuff from the start)

I created the issue on HackerOne:



HackerOne staff responded:



Yikes!!!!!!!  But OK... if that's how you want to have your website, go for it... I guess...

HOWEVER, today I checked Blockchain.com's website and low n behold:


(users are now prompted for 2fa after the password screen) 10/16/2019

I'm not overly worried about Blockchain... I imagine they will make it right, but this fucking dipshit at HackerOne that said that's how the feature is supposed scares the shit out of me!!!!! At least I learned fast to avoid Hackerone.com before FreeBitcoins.com hired them.  It's scary to see that other cryptocurrency companies use HackerOne!

I do want to say "Good job" to Blockchain.com's security team for fixing this problem within a week.

I will update when and if HackerOne or Blockchain.com compensates me for this report.

Edit:  "They" reopened my closed bug report and offered me $50, requiring me to fill out my social security for said $50.  First they claimed the feature was functioning as it was supposed to at first and then later claimed they knew about the bug the whole time to being reported!!!!!!  Ya, right.    I strongly recommend keeping on reading.

Double Edit:  I am now calling this a scam.  I believe it's just a case of one or more employees trying to cover their ass.  I will continue updating and such.

Now they are saying that the bug was known before my report... ya right!!! If it was, that's disgusting that they advertised Military-grade security with a bug known like that...



Links & news articles related to this:

https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/ (50 upvotes with 92% upvotes so far.  Thanks for voting <3)

https://www.reddit.com/r/btc/comments/djpfu9/scam_blockchaincom_hackeronecom_didnt_pay_a_major/ (this one got nuked by a /r/btc mod)

https://twitter.com/SnailsInTheMail/status/1185212527925436416

https://forum.bitcoin.com/post294928.html#

I went ahead and created a PowerPoint for my lawyer (I was just asking if there was anything I could "do", but there isn't)... the PowerPoint is a little less clusterfucky than this Bitcointalk thread.  I'm going to leave the original post under the next post, but here is a link to the PowerPoint that breaks down how Blockchain.com and HackerOne.com fucked me on a painfully obvious and dangerous 2fa dump logic error.

Powerpoint with the full story:  https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

tl;Dr I reported a problem, they said it was working as intended, they fixed the problem that night, they stiffed me.

Needless to say, we are not going to go forward with any formal complaints and I still hope Blockchain just pays me my fucking bug bounty!

I would NOT trust HackerOne or Blockchain.com's exchange team (previously known at "The Pit") at this point.  (It should be noted that Blockchain.com dropped "The Pit" name and it is now just Exchange)

I will update this thread when the companies decide to make this right.