Chris Evans

3

55

6.1K

Chris Evans retweetledi

Jobert Abma@jobertabma·29 Tem

Collaboration yields more vulnerabilities and typically higher severities! Go hang out with (internet) friends and hack together!

Alex Chapman@ajxchapman

That is a _lot_ of collaborations recently 👀

English

2

8

49

10.6K

Chris Evans@scarybeasts·16 Tem

@zseano @michielprins @MetaMask Thanks for the fast feedback. They're on their way back!

English

1

432

zseano@zseano·15 Tem

@michielprins @MetaMask How come "Managed by HackerOne" and "Includes retesting" (and I think there was one for bounty splitting?) was removed? That info is useful to hackers :)

English

6

0

17

1.5K

Michiel Prins@michielprins·15 Tem

That was fast. Within hours of publicly releasing the new Program Declarations, @MetaMask has already adopted the Open Scope and Fast Payment declarations. Great programs move with a high sense of urgency! hackerone.com/metamask?type=…

English

3

39

7.6K

Chris Evans@scarybeasts·16 Tem

Hackers, thanks as always for the on-point feedback! The missing tags, e.g. "Managed by HackerOne", are coming back. See screenshot. In the interim, it's still possible to search on them. And the new ones. I'm excited for programs to respect you by committing to "Fast Payment".

English

3

30

6.4K

Chris Evans@scarybeasts·10 Tem

Hackers, based on feedback, we're planning to separate out and make BBP reputation the primary measure on profiles and leaderboards. Further iterations likely to follow -- feedback welcome as always.

English

18

19

207

33.7K

Chris Evans@scarybeasts·12 Haz

Hackers, there's now a better UI for programs to give you testimonials on your public profile. As Chief Hacking Officer, it's my expectation that any top-tier or world-class program uses this to celebrate the best reports. Share with your friends who operate programs!

English

1

43

6.6K

Chris Evans@scarybeasts·8 Haz

@zy9ard3 @jobertabma @Hacker0x01 That's unusual! Thanks for pinging me, I will pass it along.

English

3

1K

zy9ard3@zy9ard3·7 Haz

Hey @jobertabma @scarybeasts, I came across this hackerone.com/ips prgrm which is defined as VDP on their policy but running as BBP & misleading researchers. H1 should not allow this, if they have no budget for BBP, change their license to VDP or disable them #bugbountytips

English

Mårten Mickos@martenmickos

0

20

3K

Chris Evans retweetledi

Mårten Mickos@martenmickos·31 May

HackerOne Ambassador World Cup in full swing with over $30,000 paid in bounties in these first days alone. How is your country faring? Bookmark the leaderboard so you can follow! leaderboards.hackerone.live/awc2024

The massive Ambassador World Cup is starting again, with 700 hackers competing in 40 teams. Last year, one of our major customers said it was the best thing they ever did.

English

3

25

7.9K

Chris Evans@scarybeasts·31 May

Thanks @galnagli for the feedback. There is no new policy but there was a documentation error, which is now fixed. Keep the feedback coming!

Nagli@galnagli

The new @Hacker0x01 policy around CVE reports is concerning, especially for High & Critical ones, as it potentially keeps hundreds of their customers vulnerable to critical ransomware-leading risks by withholding information as they are automatically being set as "Informative." A report that could have resulted in a $3,000-$15,000 bounty, based on the customer's assessment of its helpfulness, will very likely become a 6-7 digit Incident Response bill. I hope this policy will change soon, let's break down what happens today when you report a critical CVE to a Managed program: Up until a few weeks ago, programs could set in their policy that they do not accept CVE reports with a public advisory up to 30 days from disclosure. This was a reasonable decision for the program to make when it was harder to exploit, detect, and take down systems. As of the latest update, a site-wide ruling was enforced for the triage teams to not forward any incoming CVE to their customers if it is less than 30 days since disclosure, even if it is a critical LFI/RCE with one simple request, completely overriding the customer's policy that welcomes them. (docs.hackerone.com/en/articles/84…) Some serious questions arise from this policy: Timing: What constitutes a "reasonable period of time"? For example, with the latest Checkpoint LFI, the public exploitation POC came about 5 days after disclosure, make a drop down for customer to decide based on their own threat model? Validity: The policy states, "The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact." Isn't unauth RCE/LFI enough? Rationale: Researchers will still report these issues, customers would appreciate the value from their bug bounty platform, and the platform would benefit from reporting it first to their customers rather than relying on other security tools. Communication: This may push researchers towards off-platform communications, bypassing triage processes. As a researcher and ethical hacker, I want to ensure the programs are aware of serious risks to their infrastructure. Obfuscation: Researchers might obfuscate their findings to bypass the policy, making it harder for clients to implement fixes. Bug Bounty Goals: One main goal of a Bug Bounty program is to report exploitable CVEs. This policy seems to contradict that. Double Policies: Program's own policy is not being taken seriously if site wide restrictions are over-riding them. Yesterday I was fortunate enough to experience three different outcomes when reporting the Checkpoint VPN CVE (a simple LFI that can lead to an easy RCE): 1. HackerOne Managed Program: Report to a program with a >$10B market value on their main VPN was directly closed as informative, not passed to the team, leaving the appliance vulnerable. HackerOne Managed Program: Report to a program with >$10B market value on 10 VPNs was picked up before triage after tagging the program manager, who is evaluating it and will probably pay for it as they take critical risks super serious. BugCrowd Report: Triager passed the issue to the team due to its criticality. The team acknowledged it was out of scope but decided to pay a courtesy award. This is not just a rant. I genuinely think this policy is a mistake and want to improve processes for everyone involved. This situation appears to be a loss for the platform, customers, and hackers. Potential Solutions: Highway Pass for Critical & High CVEs: Forward these reports to programs as "Pending Program Review," allowing the program to decide on the reward. Set a Reasonable Date: Accept reports "5-7 days" after publication. If a customer hasn't addressed a CVE within a week, additional delay is unlikely to help. Opt-in Policies: Allow programs to opt-in to strict rules rather than auto-enforcing them, ensuring critical information isn't hidden from customers. Again, the goal is to improve the experience for everyone involved in the #BugBounty space, we should definitely find those vulnerabilities and notify the customers over their legacy tools, allowing them to double-down and invest more on their programs. 🙏

English

6

1

49

17.2K

Chris Evans@scarybeasts·31 May

@galnagli @Hacker0x01 The document is incorrect. We will fix it. The Detailed Platform Standard is "Programs should pay a reward if they have received value [...]. This includes if an asset owner has changed a configuration or applied a patch outside of a regular schedule because of the report."

English

1

26

7.2K

Nagli@galnagli·31 May

The new @Hacker0x01 policy around CVE reports is concerning, especially for High & Critical ones, as it potentially keeps hundreds of their customers vulnerable to critical ransomware-leading risks by withholding information as they are automatically being set as "Informative." A report that could have resulted in a $3,000-$15,000 bounty, based on the customer's assessment of its helpfulness, will very likely become a 6-7 digit Incident Response bill. I hope this policy will change soon, let's break down what happens today when you report a critical CVE to a Managed program: Up until a few weeks ago, programs could set in their policy that they do not accept CVE reports with a public advisory up to 30 days from disclosure. This was a reasonable decision for the program to make when it was harder to exploit, detect, and take down systems. As of the latest update, a site-wide ruling was enforced for the triage teams to not forward any incoming CVE to their customers if it is less than 30 days since disclosure, even if it is a critical LFI/RCE with one simple request, completely overriding the customer's policy that welcomes them. (docs.hackerone.com/en/articles/84…) Some serious questions arise from this policy: Timing: What constitutes a "reasonable period of time"? For example, with the latest Checkpoint LFI, the public exploitation POC came about 5 days after disclosure, make a drop down for customer to decide based on their own threat model? Validity: The policy states, "The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact." Isn't unauth RCE/LFI enough? Rationale: Researchers will still report these issues, customers would appreciate the value from their bug bounty platform, and the platform would benefit from reporting it first to their customers rather than relying on other security tools. Communication: This may push researchers towards off-platform communications, bypassing triage processes. As a researcher and ethical hacker, I want to ensure the programs are aware of serious risks to their infrastructure. Obfuscation: Researchers might obfuscate their findings to bypass the policy, making it harder for clients to implement fixes. Bug Bounty Goals: One main goal of a Bug Bounty program is to report exploitable CVEs. This policy seems to contradict that. Double Policies: Program's own policy is not being taken seriously if site wide restrictions are over-riding them. Yesterday I was fortunate enough to experience three different outcomes when reporting the Checkpoint VPN CVE (a simple LFI that can lead to an easy RCE): 1. HackerOne Managed Program: Report to a program with a >$10B market value on their main VPN was directly closed as informative, not passed to the team, leaving the appliance vulnerable. HackerOne Managed Program: Report to a program with >$10B market value on 10 VPNs was picked up before triage after tagging the program manager, who is evaluating it and will probably pay for it as they take critical risks super serious. BugCrowd Report: Triager passed the issue to the team due to its criticality. The team acknowledged it was out of scope but decided to pay a courtesy award. This is not just a rant. I genuinely think this policy is a mistake and want to improve processes for everyone involved. This situation appears to be a loss for the platform, customers, and hackers. Potential Solutions: Highway Pass for Critical & High CVEs: Forward these reports to programs as "Pending Program Review," allowing the program to decide on the reward. Set a Reasonable Date: Accept reports "5-7 days" after publication. If a customer hasn't addressed a CVE within a week, additional delay is unlikely to help. Opt-in Policies: Allow programs to opt-in to strict rules rather than auto-enforcing them, ensuring critical information isn't hidden from customers. Again, the goal is to improve the experience for everyone involved in the #BugBounty space, we should definitely find those vulnerabilities and notify the customers over their legacy tools, allowing them to double-down and invest more on their programs. 🙏

English

15

22

225

58.8K

Chris Evans retweetledi

Mårten Mickos@martenmickos·29 May

The massive Ambassador World Cup is starting again, with 700 hackers competing in 40 teams. Last year, one of our major customers said it was the best thing they ever did.

English

4

24

12.3K

Chris Evans@scarybeasts·29 May

@zy9ard3 Can you DM me any program handle(s)? I can look to see if it's a data problem or something else.

English

1

184

zy9ard3@zy9ard3·29 May

@scarybeasts make it mandatory just like bounty timeline... Some programs are hiding this

English

0

224

Chris Evans@scarybeasts·29 May

Hackers, thanks for the feedback on bounty table transparency enhancements. Glad it's useful! Why do this? See screenshot of great program. You deserve to know a program honors its bounty table, uses the extent of any ranges, and is generous with High / Critical severities.

English

Shakti Ranjan Mohanty || 🇮🇳 ||@3ncryptSaan

5

46

12.4K

Chris Evans@scarybeasts·29 May

I'm very excited about Spot Checks. It's a new way for hackers and enterprises to connect, to build relationships, and generate the same spectacular results they always do.

The spot check feature by @Hacker0x01 is really awesome. Submitted spot check report today at 8:25 pm and got rewarded $500 at 8.56 pm

English

Martijn Russchen@mrusschen

26

4.5K

Chris Evans retweetledi

Jobert Abma@jobertabma·28 May

Hackers, today we’re announcing Spot Checks for all; a new way to help organizations all over the world by testing specific areas of their systems. Spot Checks vary in size and often pay out quickly (we’ve seen $500 within minutes). Opportunities show up on @Hacker0x01 and in your email inbox. Happy hacking!

Excited to introduce @Hacker0x01 Spot Checks! Now, customers can perform targeted testing on specific assets, and hackers have new ways to earn. Learn more: hackerone.com/vulnerability-…

English

4

45

7K

Chris Evans retweetledi

H4x0r.DZ 🇰🇵@h4x0r_dz·17 May

Netflix bug bounty program will be moved to HackerOne !

English

10

6

172

19.7K

Chris Evans@scarybeasts·20 May

Hackers, the new payment controls (pause, thresholds) have been released to all accounts. Thanks for all the feedback that helped us to prioritize this.

English

7

3

55

6.8K

Chris Evans@scarybeasts·15 May

@alxbrsn @monkehack @Hacker0x01 Good idea, thanks. Let me try and get that done.

English

8

240

Alex Birsan@alxbrsn·15 May

@scarybeasts @monkehack @Hacker0x01 I suggest you make it clear in the UI that these values are based on the last 90 days, it's not currently specified. Personally I'd prefer to be able to toggle between 90 days and all time, but it's totally understandable that could be too cluttered.

English