Recent Posts

Pages: [1] 2

Announcement / BugBeat Systeme improvement

« Last post by Xsecure on June 19, 2023, 09:29:50 am »

BugBeat has been listening to your feedback and continuously working towards improving the user experience and overall functionality. We are thrilled to share with you that we have some exciting modifications lined up for the near future. Here's a glimpse of what you can expect:

[ Guests cannot view attachments ]

New Dashboard Page: We have been diligently working on revamping our dashboard to provide a more intuitive and user-friendly interface. The new dashboard will offer enhanced navigation, improved bug tracking, and detailed statistics to empower you with better insights.

New Programs: BugBeat is expanding its partnerships and actively seeking new organizations to collaborate with. This means there will be an influx of exciting new bug bounty programs for you to participate in, providing more opportunities to demonstrate your skills and earn rewards.

New Payment Methods: We understand the importance of providing flexible payment options to our valued hackers. Therefore, we are introducing additional payment methods to make the reward payout process even more convenient and efficient.

Enhanced Bug Reporting: We have been investing in advanced bug reporting tools to streamline the process and make it easier for you to report vulnerabilities. You can look forward to a more seamless and structured bug submission experience.

We wanted to inform you in advance about these upcoming changes so that you can prepare accordingly and continue your valuable contributions to BugBeat's bug bounty platform. We greatly appreciate your ongoing dedication and expertise in helping us maintain a secure and reliable environment for our users.

Bugs Reports / Network Infrastructure Testing : 200$~800$

« Last post by Xsecure on June 19, 2023, 12:10:11 am »

Network Infrastructure Testing

vrt

Configuration Weakness > Exposed Management Interfaces > Unauthenticated Access

Priority

P3

Description

Step To Find Unauthenticated Access to Management Interfaces:

Step 1: Identify the IP range or hostname associated with the target network infrastructure.

Step 2: Scan the target IP range or hostname using a network scanning tool (e.g., Nmap) to identify open ports.

Step 3: Identify common management ports such as 22 (SSH), 23 (Telnet), 80 (HTTP), 443 (HTTPS), or other proprietary management ports.

Step 4: Attempt to access the identified management interfaces without providing any authentication credentials.

Step 5: Document any successful access to unauthenticated management interfaces and provide details about the exposed functionality.

Hacker Username

@SecureNet

Bugs Reports / Mobile Application Testing : 1,000$~5,000$

« Last post by Xsecure on June 18, 2023, 11:46:25 pm »

Target category

Mobile Application Testing

vrt

Insecure Data Storage > Local Storage Weakness > Sensitive Information in Logs

Priority

P2

Description

Step To Find Sensitive Information in Logs:

Step 1: Install the application on a rooted device or emulator.

Step 2: Enable logcat capture using the following command: adb logcat -v time > logs.txt

Step 3: Perform various actions within the application.

Step 4: Analyze the logs generated and search for sensitive information such as API keys, passwords, or personal user data.

Step 5: Verify if the sensitive information is logged in plain text or obfuscated.

Hacker Username

@milato

Bug Bounty Programes / Ably | 0~5,000$

« Last post by Xsecure on June 16, 2023, 08:08:37 pm »

Program Rules
Maintaining the security, privacy, and integrity of our products is a priority at Ably. Therefore, Ably appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe and transparent environment to report vulnerabilities.

Out of scope vulnerabilities

Reports regarding username enumeration
Bugs requiring exceedingly unlikely user interaction
Reports of software usage disclosure or software version disclosure
Information disclosure about internal systems that does not represent a specific security vulnerability of confidentiality, integrity or availability
Reporting vulnerabilities that are deemed as accepted risks
Bugs that don’t affect the latest version of modern browsers, or browser extensions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working proof of concept (PoC)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
Disclosure of known public files or directories (eg robots.txt)
Banner disclosure on common/public services without a PoC
Security header configurations or missing headers
Lack of Secure/HTTPOnly flags on non-sensitive cookies
Abstract possibility of phishing or social engineering attacks, including open redirects and CSRFs
Reports relating to TLS configuration or known protocol, ciphersuite or certificate weaknesses
Denial of Service and Brute Force
Targeted brute force attacks are NOT permitted to discover incorrect or missing rate limits such as checking the rate limit on a password input.

A missing rate limit does not always signify a security issue.

Testing Scope

The following services and endpoints are within the scope of this policy

the Ably website at http://ably.com, with the exception of https://ably.com/api-streamer
ancillary websites at *.ably.com operated by Ably
the production service endpoints at realtime.ably.io and rest.ably.io
functionally equivalent service endpoints at

*-realtime.ably.io
*-rest.ably.io
*.ably-realtime.com
Ably service endpoints served from customer domains via CNAME
All other domains and services are out of scope. In particular, Ably subdomains that are served by third parties such as support.ably.com are out of scope, but those third parties might themselves have applicable vulnerability disclosure policies.

Triage Process

The submission must contain:

Scope (URL affected) ;
Type of vulnerability ;
Description of the impact ;
Step to reproduce ;
Ways to exploit with a valid POC ;
A way to correct;

Submit Report

Bug Bounty Programes / Smartling | 0~10,000$

« Last post by Xsecure on June 12, 2023, 12:53:19 pm »

Program Rules

Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
Do not attempt to view, modify, or damage data belonging to others.
Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
Do not attempt to gain access to another user’s account or data.
Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Out of scope vulnerabilities

The following vulnerabilities are not eligible for bounty.

Network level Denial of Service attacks
Application Denial of Service by locking user accounts
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Outdated software / library versions
OPTIONS / TRACE HTTP method enabled
CSRF on logou
CSRF on forms that are available to anonymous users
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Self-XSS and issues exploitable only through Self-XSS
Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
Attacks requiring physical access to a user's device
Attacks dependent upon social engineering of Smartling employees or vendors.
Username enumeration based on login or forgot password pages.
Enforcement policies for brute force, rate limiting, or account lockout.
SSL/TLS best practices.
SSL attacks such as BEAST, BREACH, Renegotiation attack.
Clickjacking, without additional details demonstrating a specific exploit.
Mail configuration issues including SPF, DKIM, DMARC settings.
Use of a known-vulnerable library without a description of an exploit specific to our implementation.
Password and account recovery policies.
Presence of autocomplete functionality in form fields.
Publicly accessible login panels.
Lack of email address verification during account registration or account invitation.
Lack of email address verification password restore.
Session control during email/password changes.

Testing Scope

At this time, the scope of this program is limited to security vulnerabilities found in the following targets:

www.smartling.com
dashboard.smartling.com
sso.smartling.com
api.smartling.com
support.smartling.com
www.verbalizeit.com
customers.verbalizeit.com
ti.smartling.com

Triage Process

The submission must contain:

Scope (URL affected) ;
Type of vulnerability ;
Description of the impact ;
Step to reproduce ;
Ways to exploit with a valid POC ;
A way to correct;

Submit Report

Bug Bounty Programes / Bentley | 0~500$

« Last post by Xsecure on June 07, 2023, 09:20:57 am »

Program Rules

Bentley Systems requires that all researchers

Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Perform research only within the scope set out below.
Use the communication channels defined below to report vulnerability information to us.
Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.
If you follow these guidelines when reporting an issue to us, we commit

Not to pursue or support any legal action related to your research.
To work with you to understand and resolve the issue quickly.

In Scope vulnerabilities

Brocken Access control (Privilege Escalation)
Business Logic Issues
Cross-Origin resource sharing (CORS)
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Directory Traversal
DLL hijacking
Hyperlink injection
Identification and Authentication
Insecure direct object reference (IDOR)
Open redirect
Other
Remote Code Execution
Security misconfiguration
Sensitive data exposure
Session misconfiguration
SQL Injection
Subdomain takeover*
Word-press issues

Out of scope vulnerabilities

Publicly released bugs in internet software within 15 days of their disclosure
Spam or Social Engineering techniques, including SPF and DKIM issues
Self-XSS (we require evidence on how the XSS can be used to attack another user)
X-Frame-Options related (clickjacking)
Rate limit vulnerability (unless a valid exploit PoC provided)
XMLRPC.php file is enabled leading to DoS attack
Missing cookie flags on non-sensitive cookies
Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
Header injection )unless you can show how they can lead to stealing user data)
Version exposure (unless you deliver a PoC of working exploit).
Issues that are non-exploitable but lead to crashes, stack trace, and similar information leak or stability issues.
Denial of Service
Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc.)
Anything from an automated scan, anything that is already public, or anything not under Bentley Systems control (e.g. Google Analytics, etc.)
Theoretical issues that lack practical severity

Testing Scope

All _.bentley.com subdomains
All Bentley Systems desktop products (Only CONNECT Edition and Later)
All Bentley Systems mobile apps
All Bentley Cloud Applications and Services
All Bentley Open Source Projects (including imodeljs.org)

Out Of Testing Scope

Bentley Systems’ Infrastructure (VPN, Mail Server, SharePoint, Skype, etc.)
Findings from physical testing, such as office access (e.g., open doors, tailgating)
Findings derived primarily from social engineering (e.g., phishing, vishing)
Findings from applications or systems not listed in the ‘Scope’ section
UI and UX bugs and spelling mistakes
Network level Denial of Service (DoS/DDoS) vulnerabilities
Any services hosted by 3rd-party providers and services
https://bentley.matrixlms.com/
https://www.plaxis.ru
https://communities.bentley.com Communities reports should be submitted directly to Telligent.
Synchro Academy reports should be submitted directly to Cypher Learning.
https://ebook.bentley.com/ Ebook reports should be submitted directly to Impelsys.
https://yii.bentley.com/en
https://vshow.on24.com/vshow/bsn012108_ve_01/registration/19990
https://vshow.on24.com/vshow/bsn012108_ve_01/lobby/19990

Triage Process

The submission must contain:

Scope (URL affected) ;
Type of vulnerability ;
Description of the impact ;
Step to reproduce ;
Ways to exploit with a valid POC ;
A way to correct;

Submit Report

Bug Bounty Programes / Investing | 0~500$

« Last post by Xsecure on May 31, 2023, 04:47:59 am »

Program Rules

investing security programe .

Testing Scope

Investing.com website as well as all language subdomains
Native iOS app
Native Android app

Triage Process

The submission must contain:

Scope (URL affected) ;
Type of vulnerability ;
Description of the impact ;
Step to reproduce ;
Ways to exploit with a valid POC ;
A way to correct;

Submit Report

Please allow time for triage and the vulnerability to be fixed before discussing any findings publicly.

After receiving a submission, bugbeat will make a best effort to provide a timely first response. We’ll try to keep you informed about our progress throughout the
process.

Final Notes

Please be patient. Reports are reviewed according to the workload of the security team and we sometimes require time to fix the issue.
A bug report should include a detailed description of the discovered vulnerability and steps that need to be taken in order to reproduce it or a working proof-of-concept. If you do not describe vulnerability details, it could take longer to review your report and/or could result in a rejection of that report.
Do not use automated tools and scanners to find vulnerabilities. Such reports will be ignored.
Do not perform any attack that could damage our services or data including client data. DDoS, spam, brute force attacks are not permitted.
Do not involve other users without their explicit consent.
Do not perform or try to perform non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure in general.
Publishing the vulnerability, even for educational purposes, without our consent is forbidden, and under no circumstance before the vulnerability is corrected.
How to Submit a Report

Rewards

the reward determined based on the severity of the reported vulnerability and product category from 0~500$

Classement / BugBeat Hackers Classement

« Last post by Xsecure on May 06, 2023, 03:29:48 am »

Top BugBeat Hackers

LeaderBoard

Bugs Reports / /Metrics Open Directory Bounty : 50$~200$

« Last post by Xsecure on May 02, 2023, 06:09:04 am »

Target category

Website Testing

vrt

Server Security Misconfiguration > OAuth Misconfiguration > Open Directory

Priority

P4

Description

Step To Find Open Metrics Directory :

Step 1 : Check For Subdomain That Containe : api or metrics or metrics.api or payment.api or etc ....

Step 2 : Do some dirbusting using this list of directory

Code: [Select]

/metrics ;

/Metrics ;

/permission/metrics ;

/auditing/metrics ;

/missions/metrics ;

Step 3 : You will see a page full with data , private memory bytes and other sensitive information

Hacker Username

@ lolamero

Announcement / New Badge Systeme !

« Last post by Xsecure on May 01, 2023, 06:15:07 pm »

[ Guests cannot view attachments ]

Pages: [1] 2