101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

482
active users

#bugcrowd

0 posts0 participants0 posts today
Harry Sintonen<p>A company appears to be abusing <a href="https://infosec.exchange/tags/BugCrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugCrowd</span></a>’s <a href="https://infosec.exchange/tags/bugbounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugbounty</span></a> program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.</p><p>"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."</p><p>I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.</p><p>I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.</p><p><a href="https://infosec.exchange/tags/responsibledisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>responsibledisclosure</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Yellow Flag<p>Just a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.</p><p>If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.</p><p>And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.</p><p><a href="https://infosec.exchange/tags/Bugcrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Bugcrowd</span></a> <a href="https://infosec.exchange/tags/HackerOne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HackerOne</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a></p>
Harry Sintonen<p>I've had amazingly frustrating time dealing with <a href="https://infosec.exchange/tags/bugcrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugcrowd</span></a> - There is minimal feedback or status updates. I do not know if this is limited to just managed bug bounty programs. Maybe the client in question is more to blame, but either way the experience is frustrating for me as a reporter. </p><p>As it stands now, I have no clue if critical issue I reported months ago will be getting a resolution or if one is even planned. Meanwhile millions of systems remain vulnerable. <a href="https://infosec.exchange/tags/venting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>venting</span></a></p>
IT News<p>CISA launches platform to let hackers report security bugs to US federal agencies - The Cybersecurity and Infrastructure Security Agency has launched a vulnerability ... - <a href="http://feedproxy.google.com/~r/Techcrunch/~3/cSPU-hVSUjc/" rel="nofollow noopener" target="_blank"><span class="invisible">http://</span><span class="ellipsis">feedproxy.google.com/~r/Techcr</span><span class="invisible">unch/~3/cSPU-hVSUjc/</span></a> <a href="https://schleuss.online/tags/informationtechnology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>informationtechnology</span></a> <a href="https://schleuss.online/tags/federalgovernment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>federalgovernment</span></a> <a href="https://schleuss.online/tags/computersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computersecurity</span></a> <a href="https://schleuss.online/tags/internetsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>internetsecurity</span></a> <a href="https://schleuss.online/tags/cyberwarfare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberwarfare</span></a> <a href="https://schleuss.online/tags/unitedstates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>unitedstates</span></a> <a href="https://schleuss.online/tags/cyberattack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberattack</span></a> <a href="https://schleuss.online/tags/government" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>government</span></a> <a href="https://schleuss.online/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://schleuss.online/tags/solarwinds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>solarwinds</span></a> <a href="https://schleuss.online/tags/computing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computing</span></a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://schleuss.online/tags/bugcrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugcrowd</span></a> <a href="https://schleuss.online/tags/cisa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cisa</span></a></p>
Yellow Flag<p>Noticed that <a href="https://infosec.exchange/tags/bugcrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Bugcrowd</span></a> is listing sessions under <a href="https://bugcrowd.com/settings/active_sessions" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bugcrowd.com/settings/active_s</span><span class="invisible">essions</span></a> that are a year old already. This raises both security (not automatically expired, really?) and privacy (storing my full IP address, <a href="https://infosec.exchange/tags/gdpr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GDPR</span></a> compatible?) questions.</p>
Yellow Flag<p>I published my thoughts on private bug bounty programs. These don't reflect well on the vendors running such programs, and neither on <a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a> and <a href="https://infosec.exchange/tags/bugcrowd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Bugcrowd</span></a>.</p><p>Many thanks to @k8em0@twitter.com for the inspiration.</p><p><a href="https://palant.de/2018/12/10/if-your-bug-bounty-program-is-private-why-do-you-have-it" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">palant.de/2018/12/10/if-your-b</span><span class="invisible">ug-bounty-program-is-private-why-do-you-have-it</span></a></p><p><a href="https://infosec.exchange/tags/bugbounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugbounty</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>