poq Posted February 22, 2014 Report Posted February 22, 2014 (edited) Cei de la Bug Bounty (Magento) dau in functie de URL out of scope la vulnerabilitate, atunci cand completezi cu adresa gostorego.com (care e in scop) iti zice ca domeniul nu este valid dar totusi sa il raportezi ca poate poate.Am 4 completate cu acea adresa, doua xss-uri din ele sunt foarte grave iar adresa fiind gostorego.com si nu go.magento.com am primit out of scope pe toate cu tot ca permit multe acele probleme.Aici e o lista cu asa zisul bug bounty[TABLE=width: 100%][TR][TD]Vulnerability[/TD][TD]Magento EE/CE, gostorego.com, gostorego.co.uk, prostores.com[/TD][TD]magento.com, imagineecommerce.com, magentocommerce.com[/TD][/TR][TR][TD]Information Disclosure (PII, passwords, or credit card data)[/TD][TD]Up to $10,000[/TD][TD]Up to $5,000[/TD][/TR][TR][TD]Remote Code Execution[/TD][TD]Up to $10,000[/TD][TD]Up to $2,500[/TD][/TR][TR][TD]Privilege Escalation[/TD][TD]Up to $5,000[/TD][TD]Up to $1,000[/TD][/TR][TR][TD]SQL Injection[/TD][TD]Up to $5,000[/TD][TD]Up to $1,000[/TD][/TR][TR][TD]Cross-Site Request Forgery (CSRF)[/TD][TD]Up to $5,000[/TD][TD]Up to $500[/TD][/TR][TR][TD]Cross-Site Scripting (XSS)[/TD][TD]$1000[/TD][TD]$500[/TD][/TR][TR][TD]Clickjacking[/TD][TD]$500[/TD][TD]$100[/TD][/TR][/TABLE]Nu stiu daca o sa mai trimit ceva, le-am trimis un email sa imi verifice iar rapoartele pentru ca ei ca niste roboti vazand URL au dat din start out of scope sau cine stie ce form au ei.. Edited February 23, 2014 by Gecko Titlu. Quote
dekeeu Posted February 22, 2014 Report Posted February 22, 2014 Am trimis mai multe rapoarte la ei , dar toate au status "New" de 2 saptamani. Ori se misca prea greu , ori nu au chef ori nu stiu.. Dar tabelul ala oricum trebuie respectat, zic eu. Quote
florin_darck Posted February 22, 2014 Report Posted February 22, 2014 Am trimis mai multe rapoarte la ei , dar toate au status "New" de 2 saptamani. Ori se misca prea greu , ori nu au chef ori nu stiu.. Dar tabelul ala oricum trebuie respectat, zic eu.La fel si eu, status 'New' de aprx 2 saptamani.. Quote
poq Posted February 22, 2014 Author Report Posted February 22, 2014 La mine am deja Out of Scope la 4. Î?i bat joc..nici m?car nu au verificat ce am trimis. Quote
malsploit Posted February 25, 2014 Report Posted February 25, 2014 Am raportat niste xss-uri de proba si au dat duplicate la toate. Fac la fel ca la paypal. Quote
poq Posted February 25, 2014 Author Report Posted February 25, 2014 Da, si eu am primit..isi bat joc. Quote
mah_one Posted February 25, 2014 Report Posted February 25, 2014 Eu am raportat o cale prin care le iau fisierele private ale altor useri. Sau pot sa le sterg:PSunt curios sa vad ce zic. Fisierul e un numar care se incrementeaza. Quote
dekeeu Posted March 1, 2014 Report Posted March 1, 2014 Vedeti ca si-au updatat bajetii regulile : Security | Magento Quote
poq Posted March 1, 2014 Author Report Posted March 1, 2014 (edited) Nu te iau in seama, sunt niste robotei care dau out of scope, duplicate, out of scope si tot asa...Sunt incadrat in tot ceea ce au zis ei acolo, am unul persistent si chiar acum am trimis email, am zis ca daca nu ma ia in seama ma forteaza sa il public (fiind "out of scope"). Edited March 1, 2014 by poq Quote
