-
Notifications
You must be signed in to change notification settings - Fork 38
pay bounties retroactively #506
Comments
@TheHmadQureshi I think it's a good idea. Builds rapport with researchers as well. I count 11 resolved issues:
I wish HackerOne had a good public listing of these. Maybe they have an API we could use to build our own? |
@TheHmadQureshi If the purpose is to show up on Hacktivity, then let's trickle out the bounties maybe one every week, ya? Also, what amounts should we give to each of the 11? I think bobrov 79552 should get the most—maybe $50? |
Here's a link to the (non-public) closed-as-resolved report. |
Lets discuss about each and every one of them. Starting with the 1st one ( listed above ). It's reported by me, i don't want any reward. :-) |
Onto second now. I recommend $5. |
:-) !m @TheHmadQureshi 💃 |
Let's try and categorize these and assign amounts to the categories rather than to individual tickets ... |
Assigning rewards to individual isn't very hard either. We have >15 issues so i think we should go this way. |
@TheHmadQureshi Sure, but we're getting more reports all the time. It would be good to have a systematic approach that we can apply easily in the future. Within each category we can vary the bounty based on the quality of the report. How does this look? Severe—$51 to $100There was a clear and present vulnerability that presented a severe risk.
Moderate—$25 to $50There was a clear and present vulnerability that presented a moderate risk. Mild—$10 to $24There was a clear and present vulnerability that presented a mild risk.
Preventative—$1 to $9There was no clear and present vulnerability, but the report resulted in a code or configuration change nonetheless.
|
That sums to $161 for past issues. |
I guess $50 are too much for CRLF injection ( even though it was just LF injection ) i guess $30 are good for this and $50 should be awarded to stored xss. That was a good one! |
Here's my sheet: Severe—$51 to $100** There was a clear and present vulnerability that presented a severe risk. n/a Moderate—$25 to $50 There was a clear and present vulnerability that presented a moderate risk. 79552 [gratipay.com] CRLF Injection—$30 Mild—$10 to $24 There was a clear and present vulnerability that presented a mild risk. 84287 DKIM records not present, Email Hijacking is possible—$10 Preventative—$1 to $9 There was no clear and present vulnerability, but the report resulted in a code or configuration change nonetheless. 115275 SPF DNS Record—$5 |
This sums to $155. |
@TheHmadQureshi But the LF injection write-up was higher-quality, because he further demonstrated how the LF injection could be used for CSRF bypass. Also, the XSS vulnerability requires a target to visit a profile on Gratipay.com, but the LF injection works from any page. Tell you what ... how about we split the difference and award $40 to each? :-) I agree with your other two downgrades (Self XSS and SPF vs. TXT). |
Agreed! Are you going ahead or shall i? |
Sorry! Closed by mistake. |
Go for it! :-) |
@TheHmadQureshi I'm going to work on an update to our program page that incorporates this info. |
@TheHmadQureshi Maybe link people to this ticket so they can understand why we're awarding bounties retroactively? |
@TheHmadQureshi Hrm ... you sure we can award bounties after we've already said we won't? :-( |
I don't think they will be interested in looking into this. If one will ask for why we changed our decision then we can refer to this ticket otherwise it's a win win situation for the researcher. |
I'm fine with that. |
Sent to support@hackerone:
|
s/eliigible/eligible :-/ |
P.S. Here's the script I used to come up with the bounty ranges based on the Golden Ratio. 🐌 🐍 :-) #!/usr/bin/env python3
golden_ratio = 1.61803398875
lo = 1
hi = 100
for i in range(1, 13):
first = i - lo
second = first * golden_ratio
third = second * golden_ratio
fourth = third * golden_ratio
print(sum([first, second, third, fourth]), first, second, third, fourth) Here's the output:
|
Great! 👍 |
I guess we're blocked here on hearing from HackerOne about changing our mind about bounties. |
I've gone through and brought bounties up to the levels set in #506 (comment) where possible. |
yup! Saw that. Good work 👍 |
Reply from HackerOne:
|
Great! |
Awarding the bounties now! |
done with bounties. |
💃 |
Reticketing from @TheHmadQureshi in a private repo:
The text was updated successfully, but these errors were encountered: