Bitcoin Forum>Other>Meta
Pages:
Author

Topic: Security bounties (Read 146736 times)

SickDayIn
newbie
Activity: 28
Merit: 5
Security bounties
April 16, 2024, 10:31:59 AM
#90
Quote from: theymos on April 08, 2024, 04:07:00 PM
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

Thank for your answers to my questions. The intention isn't to simply run Burp Suite Active Scan++ and then send a list of boring TLS/SSL cipher and protocol recommendations. It's really only worth raising findings that have a material impact or risk. I will poke my nose around and see if I find anything.
theymos
administrator
Activity: 5166
Merit: 12850
Re: Security bounties
April 08, 2024, 04:07:00 PM
#89
Quote from: SickDayIn on April 03, 2024, 01:53:47 AM
1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?

No.

Quote from: SickDayIn on April 03, 2024, 01:53:47 AM
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?

Yes.

Quote from: SickDayIn on April 03, 2024, 01:53:47 AM
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)

Probably only for the listed security bounties.

Quote from: SickDayIn on April 03, 2024, 01:53:47 AM
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?

IPs are only banned for making too many requests, not for suspicious behavior. So just don't make more than one request per second.
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.
SickDayIn
newbie
Activity: 28
Merit: 5
Re: Security bounties
April 03, 2024, 01:53:47 AM
#88
I have a few questions related to performing security testing on this site, particularly as I don't want to get my current account banned by accident.

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
PrimeNumber7
copper member
Activity: 1610
Merit: 1898
Amazon Prime Member #7
Re: Security bounties
September 05, 2021, 03:28:08 AM
#87
Quote from: n0nce on September 04, 2021, 06:45:11 PM
Or was SMF 1.1.19 modified in some way or another?
There are several features added to the SMF 1.1.19 codebase, and I don't believe the code for these features is public. Some of the modifications to SMF 1.1.19 may have been to close security holes/issues.

While following the terms in the OP (which primarily consist of the requirement that PenTesters not cause disruption to the forum, and not access 3rd party data, you can find security weaknesses in the forum software, and collect the respective bounties.
n0nce
hero member
Activity: 882
Merit: 5814
not your keys, not your coins!
Re: Security bounties
September 04, 2021, 06:45:11 PM
#86
I'm not sure how building forums with software like SMF works, but if BitcoinTalk is 'just' a specific configuration of SMF 1.1.19, are we essentially looking for bugs in SMF 1.1.19?
Or was SMF 1.1.19 modified in some way or another?

I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.
actmyname
copper member
Activity: 2562
Merit: 2504
Spear the bees
Re: Security bounties
August 17, 2021, 05:35:22 AM
#85
Quote from: GazetaBitcoin on August 12, 2021, 10:08:26 AM
only once in your posting history, once you reach 1337 posts.
Unless you delete your posts after the fact Wink

Quote from: GazetaBitcoin on August 12, 2021, 10:08:26 AM
This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg.
IIRC this is just a native SMF easter egg: simply part of the toolkit. It just wasn't removed like a few of the other things as it has no significant impact.
GazetaBitcoin
legendary
Activity: 1680
Merit: 6520
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Re: Security bounties
August 12, 2021, 10:08:26 AM
#84
Quote from: icopress on August 04, 2021, 07:54:32 AM
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.

As Xal0lex provided some examples, yes, there is no problem with the "leet" you saw at the profile, icopress. In case there is still any misunderstanding, this is a sort of easter egg, a perk, which appears only once in your posting history, once you reach 1337 posts. In Internet slang, the number 1337 is sometimes spelled as leet or l33t. This number / word is used instead of elite. So when someone tries to say s/he is part of the elite, in Internet slang s/he can write as leet, l33t or 1337.

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg. However, the "leet" is not displayed with other occasions - such as when reaching 1337 merits, so it is only once in your life when you see it in your posting history. I am glad you took a screenshot of the moment Smiley

All in all, it's supposed to be something funny. Similar to the pic below:




Xal0lex
staff
Activity: 2436
Merit: 2347
Re: Security bounties
August 04, 2021, 12:16:22 PM
#83
I found several dozen topics only in the Meta about this  Wink

1337
Posts: "leet"? What???
Post Count : leet
What is "leet"? In my profile
Did I just found the easter egg of the forum??

etc.
icopress
legendary
Activity: 1456
Merit: 5874
light_warrior ... 🕯️
Re: Security bounties
August 04, 2021, 07:54:32 AM
#82
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.



In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.
fronti
legendary
Activity: 2909
Merit: 1307
Re: Security bounties
July 30, 2021, 05:01:50 AM
#81
Maybe i missed it but why the bounties are in US$ and not in XAU anymore?



bL4nkcode
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
Re: Security bounties
April 04, 2021, 11:21:00 AM
#80
Quote from: Rokon5 on April 04, 2021, 10:34:58 AM
Any one can invest here and can growing their trade because It has good security.
All investments posted here are actually held on other websites, what bitcointalk can only offer is safety and secured forum due to previous hacks/attacks that leaks user's privacy including emails, phone number, locations posted on pm when dealing someone.
Rokon5
newbie
Activity: 264
Merit: 0
Re: Security bounties
April 04, 2021, 10:34:58 AM
#79
This is probably the highest security bounty of any forum.I am new here but I know it's security is high for this reason I love bounties.Any one can invest here and can growing their trade because It has good security.
alpha_wisdom
newbie
Activity: 6
Merit: 0
Re: Security bounties
December 04, 2020, 11:49:52 PM
#78
You should put this bounty into SMF Forum's core also.
JeromeTash
legendary
Activity: 2100
Merit: 1208
Heisenberg
Re: Security bounties
October 05, 2020, 05:26:49 PM
#77
Quote from: fokinlipat on October 04, 2020, 10:32:46 AM
Is only bitcointalk.org domain considered for this or any other also ?
Like it is said in the OP. The security bounties are exclusively for the forum (bitcointalk.org). Why would admin create security bounties for other domains that the forum is not affiliated with?

Quote from: theymos on October 12, 2013, 01:09:00 PM
The forum is offering bounties for security vulnerabilities.
fokinlipat
jr. member
Activity: 187
Merit: 2
Re: Security bounties
October 04, 2020, 10:32:46 AM
#76
Is only bitcointalk.org domain considered for this or any other also ?
Security Engineer
newbie
Activity: 14
Merit: 1
Re: Security bounties
August 29, 2019, 07:17:33 PM
#75
Hello theymos.

I quote here two post regarding BitcoinTalk's security and I hope you will do what I recommended.

Quote from: ?? on ??
@theymos If I'm you I would remove Google reCaptcha before a DoS hits your main server! The sitekey my boy, the sitekey... I also did some research around the SSL certificates you got from Sectigo... Later I will contact you when I decided what to do with all this.

You don't want to keep that Google reCaptcha there mainly not only because I was able to indentify your server behind cloud but you don't need that at all! Before the cloud it was useful but now you can use just one captcha... better for you.

Quick tips for mitigation: Remove Google reCaptcha and implement Argo Tunnel

Quote from: Security Engineer on August 29, 2019, 06:44:20 PM
Quote from: Chikito on August 29, 2019, 06:35:59 PM
Quote from: Security Engineer on August 29, 2019, 12:46:09 PM
administrator of this forum without any knowledge of programming. I have read his post from the very first one and nothing indicates he had any knowledge of programming.
Bitcointalk are Big forum have over 2.6 Million member need knowledge of management. And not necesarry know about programing.
Manager can recruit people who have knowledge about it.
That is correct DroomieChikito!  Wink

If @theymos do what I recommended to him here: https://bitcointalksearch.org/topic/doubt-about-bitcointalk-5179950 and in PM than he never again would need to even think about that something bad happens to the server(s) of BitcoinTalk. In the current state BitcoinTalk is vulnerable. If he does what I recommended it will mitigate all types of attacks once and forever.

This topic will loose it relevance immediately: https://bitcointalksearch.org/topic/m.3326091 meaning that no more bounty. Some regarding the forum and email can be still ongoing but he would need to rewrite the entire post.

Cheers!


I can't reply to your PM theymos Cheesy I'm to new here...  Roll Eyes
I got your PGP key. I will send you what you asked. Right now I'm busy with something else. I can assure you soon you will get the response in PM or in an encrypted email.

Is this yours?
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQMuBExwwKsRCADZL8C3DWzSohJv6qcrZ2r0jdhY/BhUKzs8utbpa+wbPrBztNCN
9Gxu+6PUiFVuEhpdXpCKGy2sf+CyzOTdGYJtlIykH6jdEW/PLyW5a23SKZEHvI4S
RNWZCPF9kqujRHb++mrf6t6ehiMUkFcn0aQOYMMrk/pVrdx3LmmUSgsvOvCRRWS3
vo1uNJdlnqOA7pc6sgOs7bZI32zVk4p+1QVgZ6gKAOx2ga8IBILs3KMzt72WFdF1
1W0k92T/xQ+FHf0O9nMdeN/qKRBSZn1CMoJgaG23Kj8O3K3AwEgijBD60ByvIHOL
7WjFJ8IVA/obhn/Xoa1ZD91rDYvH/18kldVXAQDTdgjwDHNd4AItspbLTMvtovK8
RxWvNiHy7nE6j/BmlQgAl02c0soZXL2VhGw0gX+gIUZY3jD2pWQSFqdUb+dXNqVI
ISjINPqD35xm7Hll4B5CSlsjz5j+gJc8xrfWw1YAjK6SJxhQcevI+wbXBqfX3pYj
MYeOgszkSHAcs5EsW03EdYQ9SlrFk+5+4hsUBp86hEb3xaqkj3a2X3cO1J3erZ2R
ScFayjr7aTCuSmdguCsslSSyn/xW+N7f0s/C4JPgnVznfw1/BpNm7gFTfKidGmlx
ib4JtrxlwuYwNRbEFsynFHA+hjHa+NyJBHdf+MUyTQ/bzpiEhxL9QXKRDBTAGVMx
f44qR07JtFfZjogEXSWt1NP2fJhMsqWyFHJq7n7Kegf+NMPvIOiVJiAKjEQ5j2+6
X+DbBcjRgKr0vNdYeP7dnGK47LPRfX3EE+dTQerawlWunPoHBRkRmDShjxxwlV1F
eTf+buj5yFCBPNCAxKsnXi1EN78iPNkTbnWgKutTDup/fKY+1MZbK/FiymMvHes0
77n0HvzVrQIRaqmk6/jPC6o8f7IuZzpmYFnyUha2v0kdX0VcJATV/AzcIIVFJc5X
YLdcpRxW7qxIvOAJqpHvxl7Gdj7oYBwvnbnU/2Hl3HWh9Lo4AjfD+KpfT/F+iMiK
A4k5geMKtdJk+BLVZYos4qCAZX6VXraTDP2lVWXYzWGP9HKuos19H4V/y/LgJGFe
pbQnTWljaGFlbCBNYXJxdWFyZHQgPG1pY2hhZWxfbStwZ3BAbW0uc3Q+iIAEExEI
ACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgKCQsDBRYDAgEAAAoJEMZV
VpPatZHnOagBALomn7hramaFsh4W/UfP7dUIXE9BMzgGzHM5rxIkmkSHAP0SAFRV
PBjl2xMYWJWIFnzVMX6odojMv6hneChqjhCTCLQbdGhleW1vcyA8dGhleW1vcytw
Z3BAbW0uc3Q+iIAEExEIACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgK
CQsDBRYDAgEAAAoJEMZVVpPatZHn4isBAKTwaR9MGR6lKAdS74C+8fgDalbEf4uh
6/mAVFhQYp+GAP9quUjlRyr/po10gTEKStoXOAZ9sRhrb3TlxDRf8C1BWrkCDQRW
DgiMEAgAvWIlg2CjBwhtmMgy+RoS6/HeevH0Qnz3PntfWsTqZuw4kNcu/Xk6HCmY
clN/Lqy8nn/FTaplKTAJS14J20F16nCv5fpzJKB/5i8HLpNz16xpSSPErn1whsKV
/wFCheQ/oFGcJFZvcmauB6iJ3XBvJbAQqF7+mH2ijAHVnwb7V7ANlWyqjbYxPoyb
ro69HUoRojh5MTNv/xGLIajjNH8Ckp9J2XUCWtavj4xJEIoWB3i3C/A0NVQuPGS5
1MqvhWaRvbVlrdhqAuNN1culvZpSLu1y+2vLiyLolLn70viuyH/ouoV/NRo4yFpP
yA1PXDxk+51petVxXPXbVdqvun9Y0wADBQgAmKTl1iwmUr5ncMIc13Bkj5nzF+w8
11OPZ3P98J7Cos0cIXpqLf8FgDr0xU2oPoq33i59xK0SIrj1TqjiSWC4S5YkJNEm
/hgyb+UOk2D2Xm0SKr+2BDMSREEsLhYO1vSi1O0ND1g2QgoQNQ91aMVZ92IX4V8h
++/8smxxcjLkCRc9YrzsRLeuP3PE489n8MzdYbui7vU+RJhKL7mlKKWDKxko3sVH
kmy3CBjjyp04KNAGJwpQzY8G3XmK9eRSypc71ST0ziJxFk5+DPEM8IPZGbHvCS0k
a2yf8Gp5oaCDkSKxNoAnMKcM7fTkFuekAvRKBGB/u+71anvpRCxKslc1gYh+BBgR
CAAmAhsMFiEEXms/O6lhGTxcm0Q1xlVWk9q1kecFAl1bRX0FCQzw13EACgkQxlVW
k9q1kedNhgD+Pp0ZBMuN9VUtzuIsS9gp0DiMmehOdCV99SifqH0phWEBAISGZ6Zl
bY8GhzbuuorCW/UUPHDODxiuBvHI9+/qFjDx
=39Rd
-----END PGP PUBLIC KEY BLOCK-----
STT
legendary
Activity: 3878
Merit: 1411
Leading Crypto Sports Betting & Casino Platform
Re: Security bounties
July 19, 2019, 12:12:44 AM
#74
I will speak to someone next week who does this vulnerability testing professionally.   Maybe he will tip me if he has a trick from work and manages to do anything :p


Quote from: STSToken on July 09, 2018, 08:19:27 AM
Is there any plans to increase the bounty awards?
They increase every day so long as the gold price does

Quote from: cescudero95 on September 12, 2018, 08:35:31 PM

Sorry, but what is XAU exactly?
https://www.xe.com/currencycharts/?from=XAU&to=USD&view=10Y

XAG is silver

https://www.xe.com/iso4217.php#X

Quote from: dree12 on October 13, 2013, 07:57:21 PM
Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
The forum is internationally based could be one point but mostly I think of Dollar as the pre nixon standard of being fixed to gold hence its always reasonable to offer gold long term especially to an international audience.   If I have no liabilities in dollars then the gold could be preferable, dollars do depreciate over time and this topic is years old.   Honestly everyone should keep a little gold, maybe I'm biased or maybe people forgot +10% interest rates, etc. I havent.
theymos
administrator
Activity: 5166
Merit: 12850
Re: Security bounties
September 13, 2018, 12:28:36 AM
#73
Quote from: cescudero95 on September 12, 2018, 08:35:31 PM
Sorry, but what is XAU exactly?

Troy ounces of gold.
cescudero95
jr. member
Activity: 98
Merit: 2
Re: Security bounties
September 12, 2018, 08:35:31 PM
#72
Quote from: theymos on July 22, 2018, 06:24:23 PM
Quote from: yakovs on July 22, 2018, 02:25:55 AM
And what about current stats ?

Doing a quick count, it looks like a total of about 11.4 XAU has been paid in security bounties since inception.

Sorry, but what is XAU exactly?
Mpamaegbu
legendary
Activity: 2674
Merit: 1208
Once a man, twice a child!
Re: Security bounties
September 11, 2018, 07:51:44 AM
#71
Quote from: ridertiger on July 10, 2018, 09:50:28 AM
https:// bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?
If you feel that truly that site is a phishing one why not deactivate the link so no one mistakenly falls prey to it. But I seem not to see anything different from that site as it is the same with our BTT in spelling and all that.
Pages:
Bitcoin Forum>Other>Meta
Jump to: