Author

Topic: Is Security Bounty still Active? (Read 127 times)

copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
July 28, 2021, 08:09:10 PM
#2
I'm not sure on the architecture of simple machines forums/and this one specifically but a lot of user account hackings can occur from people using weak passwords. I'm not sure I want to cover the details on how to do this without or with the database but it's possible either way if the passwords used aren't very advanced - especially if a user lists the country they're from or you can guess the country/area. It could also be possible to send a phishing link to someone's email and get them to log in/interact with it to get access to their email and/or their account.

I think I'd agree that the bug bounties might be a bit low - potentially the Javascript one of you can inject a photo that is able to deanonymise someone even just on one particular browser - but I'm not sure the best way to increase them either or whether it's even a good idea to (should you wait with a gulnerability you've found because you think they rates will go up again?)
legendary
Activity: 1526
Merit: 1032
Up to 300% + 200 FS deposit bonuses
July 28, 2021, 07:05:13 PM
#1
What kind of vulnerability security bounty hunter got $19 000?

https://bitcointalk.org/sbounties.php

When I look at the meta board, there are a lot of threads want to recovery hacked account, this means lots of hackers with technical skill hanging out here. What does he get? , nothing, just an account with tagged hacked which can't do anything here.

Hackers can get more than that.

Quote
  • $50 000: If you can access any user's PMs arbitrarily, without any interaction from the user, and without any secret data such as user passwords.
  • $20 000: If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords. If you already have an email address, matching it to a user is not a bug.
  • $10 000: If you can make undetectable edits to arbitrary posts or PMs. Compromising a moderator account doesn't count.
  • $2 000: If you can send a user a link, and if they click on it then you will be able to gain access to their account automatically, without any further action from them aside from just visiting one link. Phishing sites don't count; it has to be some sort of CSRF-type attack. You can't assume that you have any secret data about the user such as their session cookie.
  • $2 000: If a regular user without any special permissions can persistently inject JavaScript into a page. If you need a more privileged user, the award amount is halved, and there is no award if you need an administrator account.
  • $1 000: If you can move or delete a post that you are not supposed to be able to.

but don't forget

Quote
You must not publish it elsewhere or share it with anyone else.

even on meta though

good luck
Jump to: