Regarding your question about the bug category, it seems like the focus is primarily on accessing sensitive user information without their interaction or consent. If any additional details about users are revealed in a similar manner—like viewing private messages or account settings—those would likely also fall under this category, especially if they compromise user privacy or security.
As for associating an email with a username, if you find a method that allows you to easily correlate the two without proper authorization, it's worth reporting. Even if it's not a direct breach of sensitive information like passwords or email addresses, it could still pose a risk to user privacy. It's always better to err on the side of caution and inform the relevant parties about potential vulnerabilities.
Topic: Security bounties (Read 170863 times)
Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?
That's not valid at all.
For bug of this category
If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.
Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?
If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.
Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?
For other data, it will not be considered as part of that bounty, but I may award some amount, depending on the details.
For bug of this category
If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.
Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?
Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?
If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.
Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?
Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.
Thank for your answers to my questions. The intention isn't to simply run Burp Suite Active Scan++ and then send a list of boring TLS/SSL cipher and protocol recommendations. It's really only worth raising findings that have a material impact or risk. I will poke my nose around and see if I find anything.
1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
No.
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
Yes.
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
Probably only for the listed security bounties.
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
IPs are only banned for making too many requests, not for suspicious behavior. So just don't make more than one request per second.
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.
I have a few questions related to performing security testing on this site, particularly as I don't want to get my current account banned by accident.
1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
Or was SMF 1.1.19 modified in some way or another?
There are several features added to the SMF 1.1.19 codebase, and I don't believe the code for these features is public. Some of the modifications to SMF 1.1.19 may have been to close security holes/issues. While following the terms in the OP (which primarily consist of the requirement that PenTesters not cause disruption to the forum, and not access 3rd party data, you can find security weaknesses in the forum software, and collect the respective bounties.
I'm not sure how building forums with software like SMF works, but if BitcoinTalk is 'just' a specific configuration of SMF 1.1.19, are we essentially looking for bugs in SMF 1.1.19?
Or was SMF 1.1.19 modified in some way or another?
I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.
Or was SMF 1.1.19 modified in some way or another?
I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.
only once in your posting history, once you reach 1337 posts.
Unless you delete your posts after the fact 
This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg.
IIRC this is just a native SMF easter egg: simply part of the toolkit. It just wasn't removed like a few of the other things as it has no significant impact. legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.
As Xal0lex provided some examples, yes, there is no problem with the "leet" you saw at the profile, icopress. In case there is still any misunderstanding, this is a sort of easter egg, a perk, which appears only once in your posting history, once you reach 1337 posts. In Internet slang, the number 1337 is sometimes spelled as leet or l33t. This number / word is used instead of elite. So when someone tries to say s/he is part of the elite, in Internet slang s/he can write as leet, l33t or 1337.
This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg. However, the "leet" is not displayed with other occasions - such as when reaching 1337 merits, so it is only once in your life when you see it in your posting history. I am glad you took a screenshot of the moment
All in all, it's supposed to be something funny. Similar to the pic below:
I found several dozen topics only in the Meta about this
1337
Posts: "leet"? What???
Post Count : leet
What is "leet"? In my profile
Did I just found the easter egg of the forum??
etc.
1337
Posts: "leet"? What???
Post Count : leet
What is "leet"? In my profile
Did I just found the easter egg of the forum??
etc.
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.
In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.
In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.
Maybe i missed it but why the bounties are in US$ and not in XAU anymore?
Any one can invest here and can growing their trade because It has good security.
All investments posted here are actually held on other websites, what bitcointalk can only offer is safety and secured forum due to previous hacks/attacks that leaks user's privacy including emails, phone number, locations posted on pm when dealing someone.
This is probably the highest security bounty of any forum.I am new here but I know it's security is high for this reason I love bounties.Any one can invest here and can growing their trade because It has good security.
You should put this bounty into SMF Forum's core also.
Is only bitcointalk.org domain considered for this or any other also ?
Like it is said in the OP. The security bounties are exclusively for the forum (bitcointalk.org). Why would admin create security bounties for other domains that the forum is not affiliated with? The forum is offering bounties for security vulnerabilities.
Is only bitcointalk.org domain considered for this or any other also ?
Hello theymos.
I quote here two post regarding BitcoinTalk's security and I hope you will do what I recommended.
Manager can recruit people who have knowledge about it.
That is correct DroomieChikito!
If @theymos do what I recommended to him here: https://bitcointalksearch.org/topic/doubt-about-bitcointalk-5179950 and in PM than he never again would need to even think about that something bad happens to the server(s) of BitcoinTalk. In the current state BitcoinTalk is vulnerable. If he does what I recommended it will mitigate all types of attacks once and forever.
This topic will loose it relevance immediately: https://bitcointalksearch.org/topic/m.3326091 meaning that no more bounty. Some regarding the forum and email can be still ongoing but he would need to rewrite the entire post.
Cheers!
I can't reply to your PM theymos
I'm to new here... 
I got your PGP key. I will send you what you asked. Right now I'm busy with something else. I can assure you soon you will get the response in PM or in an encrypted email.
Is this yours?
I quote here two post regarding BitcoinTalk's security and I hope you will do what I recommended.
@theymos If I'm you I would remove Google reCaptcha before a DoS hits your main server! The sitekey my boy, the sitekey... I also did some research around the SSL certificates you got from Sectigo... Later I will contact you when I decided what to do with all this.
You don't want to keep that Google reCaptcha there mainly not only because I was able to indentify your server behind cloud but you don't need that at all! Before the cloud it was useful but now you can use just one captcha... better for you.
Quick tips for mitigation: Remove Google reCaptcha and implement Argo Tunnel
You don't want to keep that Google reCaptcha there mainly not only because I was able to indentify your server behind cloud but you don't need that at all! Before the cloud it was useful but now you can use just one captcha... better for you.
Quick tips for mitigation: Remove Google reCaptcha and implement Argo Tunnel
administrator of this forum without any knowledge of programming. I have read his post from the very first one and nothing indicates he had any knowledge of programming.
Bitcointalk are Big forum have over 2.6 Million member need knowledge of management. And not necesarry know about programing. Manager can recruit people who have knowledge about it.
If @theymos do what I recommended to him here: https://bitcointalksearch.org/topic/doubt-about-bitcointalk-5179950 and in PM than he never again would need to even think about that something bad happens to the server(s) of BitcoinTalk. In the current state BitcoinTalk is vulnerable. If he does what I recommended it will mitigate all types of attacks once and forever.
This topic will loose it relevance immediately: https://bitcointalksearch.org/topic/m.3326091 meaning that no more bounty. Some regarding the forum and email can be still ongoing but he would need to rewrite the entire post.
Cheers!
I can't reply to your PM theymos
I'm to new here... I got your PGP key. I will send you what you asked. Right now I'm busy with something else. I can assure you soon you will get the response in PM or in an encrypted email.
Is this yours?
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQMuBExwwKsRCADZL8C3DWzSohJv6qcrZ2r0jdhY/BhUKzs8utbpa+wbPrBztNCN
9Gxu+6PUiFVuEhpdXpCKGy2sf+CyzOTdGYJtlIykH6jdEW/PLyW5a23SKZEHvI4S
RNWZCPF9kqujRHb++mrf6t6ehiMUkFcn0aQOYMMrk/pVrdx3LmmUSgsvOvCRRWS3
vo1uNJdlnqOA7pc6sgOs7bZI32zVk4p+1QVgZ6gKAOx2ga8IBILs3KMzt72WFdF1
1W0k92T/xQ+FHf0O9nMdeN/qKRBSZn1CMoJgaG23Kj8O3K3AwEgijBD60ByvIHOL
7WjFJ8IVA/obhn/Xoa1ZD91rDYvH/18kldVXAQDTdgjwDHNd4AItspbLTMvtovK8
RxWvNiHy7nE6j/BmlQgAl02c0soZXL2VhGw0gX+gIUZY3jD2pWQSFqdUb+dXNqVI
ISjINPqD35xm7Hll4B5CSlsjz5j+gJc8xrfWw1YAjK6SJxhQcevI+wbXBqfX3pYj
MYeOgszkSHAcs5EsW03EdYQ9SlrFk+5+4hsUBp86hEb3xaqkj3a2X3cO1J3erZ2R
ScFayjr7aTCuSmdguCsslSSyn/xW+N7f0s/C4JPgnVznfw1/BpNm7gFTfKidGmlx
ib4JtrxlwuYwNRbEFsynFHA+hjHa+NyJBHdf+MUyTQ/bzpiEhxL9QXKRDBTAGVMx
f44qR07JtFfZjogEXSWt1NP2fJhMsqWyFHJq7n7Kegf+NMPvIOiVJiAKjEQ5j2+6
X+DbBcjRgKr0vNdYeP7dnGK47LPRfX3EE+dTQerawlWunPoHBRkRmDShjxxwlV1F
eTf+buj5yFCBPNCAxKsnXi1EN78iPNkTbnWgKutTDup/fKY+1MZbK/FiymMvHes0
77n0HvzVrQIRaqmk6/jPC6o8f7IuZzpmYFnyUha2v0kdX0VcJATV/AzcIIVFJc5X
YLdcpRxW7qxIvOAJqpHvxl7Gdj7oYBwvnbnU/2Hl3HWh9Lo4AjfD+KpfT/F+iMiK
A4k5geMKtdJk+BLVZYos4qCAZX6VXraTDP2lVWXYzWGP9HKuos19H4V/y/LgJGFe
pbQnTWljaGFlbCBNYXJxdWFyZHQgPG1pY2hhZWxfbStwZ3BAbW0uc3Q+iIAEExEI
ACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgKCQsDBRYDAgEAAAoJEMZV
VpPatZHnOagBALomn7hramaFsh4W/UfP7dUIXE9BMzgGzHM5rxIkmkSHAP0SAFRV
PBjl2xMYWJWIFnzVMX6odojMv6hneChqjhCTCLQbdGhleW1vcyA8dGhleW1vcytw
Z3BAbW0uc3Q+iIAEExEIACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgK
CQsDBRYDAgEAAAoJEMZVVpPatZHn4isBAKTwaR9MGR6lKAdS74C+8fgDalbEf4uh
6/mAVFhQYp+GAP9quUjlRyr/po10gTEKStoXOAZ9sRhrb3TlxDRf8C1BWrkCDQRW
DgiMEAgAvWIlg2CjBwhtmMgy+RoS6/HeevH0Qnz3PntfWsTqZuw4kNcu/Xk6HCmY
clN/Lqy8nn/FTaplKTAJS14J20F16nCv5fpzJKB/5i8HLpNz16xpSSPErn1whsKV
/wFCheQ/oFGcJFZvcmauB6iJ3XBvJbAQqF7+mH2ijAHVnwb7V7ANlWyqjbYxPoyb
ro69HUoRojh5MTNv/xGLIajjNH8Ckp9J2XUCWtavj4xJEIoWB3i3C/A0NVQuPGS5
1MqvhWaRvbVlrdhqAuNN1culvZpSLu1y+2vLiyLolLn70viuyH/ouoV/NRo4yFpP
yA1PXDxk+51petVxXPXbVdqvun9Y0wADBQgAmKTl1iwmUr5ncMIc13Bkj5nzF+w8
11OPZ3P98J7Cos0cIXpqLf8FgDr0xU2oPoq33i59xK0SIrj1TqjiSWC4S5YkJNEm
/hgyb+UOk2D2Xm0SKr+2BDMSREEsLhYO1vSi1O0ND1g2QgoQNQ91aMVZ92IX4V8h
++/8smxxcjLkCRc9YrzsRLeuP3PE489n8MzdYbui7vU+RJhKL7mlKKWDKxko3sVH
kmy3CBjjyp04KNAGJwpQzY8G3XmK9eRSypc71ST0ziJxFk5+DPEM8IPZGbHvCS0k
a2yf8Gp5oaCDkSKxNoAnMKcM7fTkFuekAvRKBGB/u+71anvpRCxKslc1gYh+BBgR
CAAmAhsMFiEEXms/O6lhGTxcm0Q1xlVWk9q1kecFAl1bRX0FCQzw13EACgkQxlVW
k9q1kedNhgD+Pp0ZBMuN9VUtzuIsS9gp0DiMmehOdCV99SifqH0phWEBAISGZ6Zl
bY8GhzbuuorCW/UUPHDODxiuBvHI9+/qFjDx
=39Rd
-----END PGP PUBLIC KEY BLOCK-----
I will speak to someone next week who does this vulnerability testing professionally. Maybe he will tip me if he has a trick from work and manages to do anything :p
Sorry, but what is XAU exactly?
https://www.xe.com/currencycharts/?from=XAU&to=USD&view=10Y
XAG is silver
https://www.xe.com/iso4217.php#X
Is there any plans to increase the bounty awards?
They increase every day so long as the gold price doesSorry, but what is XAU exactly?
XAG is silver
https://www.xe.com/iso4217.php#X
Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
The forum is internationally based could be one point but mostly I think of Dollar as the pre nixon standard of being fixed to gold hence its always reasonable to offer gold long term especially to an international audience. If I have no liabilities in dollars then the gold could be preferable, dollars do depreciate over time and this topic is years old. Honestly everyone should keep a little gold, maybe I'm biased or maybe people forgot +10% interest rates, etc. I havent. Jump to: