pay bounties retroactively

[chadwhitacre]

Reticketing from @TheHmadQureshi in a private repo:

I was thinking, if it's possible that we award $1 to every resolved or triaged report that we have in HackerOne. That would not be more then $25 but we will start getting more involved with Hacktivity. What do you think ?

[chadwhitacre]

@TheHmadQureshi I think it's a good idea. Builds rapport with researchers as well. I count 11 resolved issues:

1. 76303 weak ssl cipher suites
2. 76307 Self XSS Protection not used , I can trick users to insert JavaScript
3. 79552 [gratipay.com] CRLF Injection
4. 84287 DKIM records not present, Email Hijacking is possible
5. 84740 Stored XSS On Statement
6. 87531 Mail spaming
7. 109054 HTTP trace method is enabled
8. 111078 Sub Domian Take over
9. 115275 SPF DNS Record
10. 116360 The POODLE attack (SSLv3 supported) for https://grtp.co/
11. 116973 No Valid SPF Records.

I wish HackerOne had a good public listing of these. Maybe they have an API we could use to build our own?

[chadwhitacre]

@TheHmadQureshi If the purpose is to show up on Hacktivity, then let's trickle out the bounties maybe one every week, ya?

Also, what amounts should we give to each of the 11? I think bobrov 79552 should get the most—maybe $50?

[chadwhitacre]

Here's a link to the (non-public) closed-as-resolved report.

[TheHmadQureshi]

Lets discuss about each and every one of them. Starting with the 1st one ( listed above ). It's reported by me, i don't want any reward. :-)

[TheHmadQureshi]

Onto second now. I recommend $5.

[chadwhitacre]

It's reported by me, i don't want any reward. :-)

:-)

!m @TheHmadQureshi 💃

[chadwhitacre]

Let's try and categorize these and assign amounts to the categories rather than to individual tickets ...

[TheHmadQureshi]

Assigning rewards to individual isn't very hard either. We have >15 issues so i think we should go this way.

[chadwhitacre]

@TheHmadQureshi Sure, but we're getting more reports all the time. It would be good to have a systematic approach that we can apply easily in the future. Within each category we can vary the bounty based on the quality of the report.

How does this look?

Severe—$51 to $100

There was a clear and present vulnerability that presented a severe risk.

• n/a

Moderate—$25 to $50

There was a clear and present vulnerability that presented a moderate risk.

• 79552 [gratipay.com] CRLF Injection—$50
• 84740 Stored XSS On Statement—$30

Mild—$10 to $24

There was a clear and present vulnerability that presented a mild risk.

• 76307 Self XSS Protection not used , I can trick users to insert JavaScript—$10
• 84287 DKIM records not present, Email Hijacking is possible—$10
• 87531 Mail spaming—$20
• 111078 Sub Domian Take over—$15
• 115275 SPF DNS Record—$10
• 116973 No Valid SPF Records.—$10

Preventative—$1 to $9

There was no clear and present vulnerability, but the report resulted in a code or configuration change nonetheless.

• 76303 weak ssl cipher suites—$5
• 109054 HTTP trace method is enabled—$5
• 116360 The POODLE attack (SSLv3 supported) for https://grtp.co/—$1

[chadwhitacre]

That sums to $161 for past issues.

[TheHmadQureshi]

I guess $50 are too much for CRLF injection ( even though it was just LF injection ) i guess $30 are good for this and $50 should be awarded to stored xss. That was a good one!

[TheHmadQureshi]

Here's my sheet:

Severe—$51 to $100**

There was a clear and present vulnerability that presented a severe risk.

n/a

Moderate—$25 to $50

There was a clear and present vulnerability that presented a moderate risk.

79552 [gratipay.com] CRLF Injection—$30
84740 Stored XSS On Statement—$50

Mild—$10 to $24

There was a clear and present vulnerability that presented a mild risk.

84287 DKIM records not present, Email Hijacking is possible—$10
87531 Mail spaming—$20
111078 Sub Domian Take over—$15
116973 No Valid SPF Records.—$10

Preventative—$1 to $9

There was no clear and present vulnerability, but the report resulted in a code or configuration change nonetheless.

115275 SPF DNS Record—$5
76307 Self XSS Protection not used , I can trick users to insert JavaScript—$5
76303 weak ssl cipher suites—$5
109054 HTTP trace method is enabled—$5
116360 The POODLE attack (SSLv3 supported) for https://grtp.co/—$1

[TheHmadQureshi]

This sums to $155.

[chadwhitacre]

I guess $50 are too much for CRLF injection ( even though it was just LF injection ) i guess $30 are good for this and $50 should be awarded to stored xss. That was a good one!

@TheHmadQureshi But the LF injection write-up was higher-quality, because he further demonstrated how the LF injection could be used for CSRF bypass. Also, the XSS vulnerability requires a target to visit a profile on Gratipay.com, but the LF injection works from any page.

Tell you what ... how about we split the difference and award $40 to each? :-)

I agree with your other two downgrades (Self XSS and SPF vs. TXT).

[TheHmadQureshi]

Agreed! Are you going ahead or shall i?

[TheHmadQureshi]

Sorry! Closed by mistake.

[chadwhitacre]

Go for it! :-)

!m @TheHmadQureshi

[chadwhitacre]

@TheHmadQureshi I'm going to work on an update to our program page that incorporates this info.

[chadwhitacre]

@TheHmadQureshi Maybe link people to this ticket so they can understand why we're awarding bounties retroactively?

[chadwhitacre]

@TheHmadQureshi Hrm ... you sure we can award bounties after we've already said we won't? :-(

[TheHmadQureshi]

I don't think they will be interested in looking into this. If one will ask for why we changed our decision then we can refer to this ticket otherwise it's a win win situation for the researcher.

[chadwhitacre]

If one will ask for why we changed our decision then we can refer to this ticket otherwise it's a win win situation for the researcher.

I'm fine with that.

[chadwhitacre]

Sent to support@hackerone:

We'd like to retroactively award bounties on tickets that we closed before beginning a paid bounty program. Unfortunately we had marked these as "not eliigible," and now I'm not seeing a way to change our mind. Is this possible?

https://gratipay.freshdesk.com/helpdesk/tickets/4121

[chadwhitacre]

s/eliigible/eligible :-/

[chadwhitacre]

P.S. Here's the script I used to come up with the bounty ranges based on the Golden Ratio. 🐌 🐍 :-)

#!/usr/bin/env python3

golden_ratio = 1.61803398875

lo = 1
hi = 100

for i in range(1, 13):
    first = i - lo
    second = first * golden_ratio
    third = second * golden_ratio
    fourth = third * golden_ratio
    print(sum([first, second, third, fourth]), first, second, third, fourth)

Here's the output:

0.0 0 0.0 0.0 0.0
9.47213595500085 1 1.61803398875 2.618033988750235 4.236067977500615
18.9442719100017 2 3.2360679775 5.23606797750047 8.47213595500123
28.41640786500255 3 4.85410196625 7.854101966250705 12.708203932501846
37.8885438200034 4 6.472135955 10.47213595500094 16.94427191000246
47.36067977500426 5 8.09016994375 13.090169943751176 21.180339887503077
56.8328157300051 6 9.7082039325 15.70820393250141 25.41640786500369
66.30495168500596 7 11.32623792125 18.326237921251646 29.65247584250431
75.7770876400068 8 12.94427191 20.94427191000188 33.88854382000492
85.24922359500765 9 14.56230589875 23.562305898752115 38.12461179750554
94.72135955000851 10 16.1803398875 26.180339887502353 42.360679775006155
104.19349550500937 11 17.79837387625 28.798373876252587 46.59674775250677

[TheHmadQureshi]

Great! 👍

[chadwhitacre]

I guess we're blocked here on hearing from HackerOne about changing our mind about bounties.

[chadwhitacre]

I've gone through and brought bounties up to the levels set in #506 (comment) where possible.

[TheHmadQureshi]

yup! Saw that. Good work 👍

[chadwhitacre]

Reply from HackerOne:

Unfortunately we disallow reversing the "ineligible for bounty" action in the UI. I will file a task internally to allow bounty after marking a report ineligible for bounty. Meanwhile we can fix this for you. Could you verify if following are the report ids that you would like to award a bounty ?

1. 76303
2. 79552
3. 76307
4. 84287
5. 87531
6. 111078
7. 84740

Once I get confirmation, we can go ahead and make changes, that will allow you to award bounty on the above reports.

---

Yup, that list is perfect. Thanks, []!

[TheHmadQureshi]

Great!

[TheHmadQureshi]

Awarding the bounties now!

[TheHmadQureshi]

done with bounties.

[TheHmadQureshi]

💃

[chadwhitacre]

!m @TheHmadQureshi