Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Meta
Merits 31 from 7 users
Topic OP
Security bounties
by
theymos
on 12/10/2013, 17:09:00 UTC
⭐ Merited by EFS (20) ,Vod (5) ,krishnaverma (2) ,theyoungmillionaire (1) ,selectaselectine (1) ,LoyceV (1) ,albert0bsd (1)
The forum is offering bounties for security vulnerabilities.

The bounty amount is the highest applicable base bounty multiplied by all applicable modifiers. Amounts are in troy ounces of gold (converted to BTC at the time of payment).

Base bounties
Root access  Arbitrary DB writing  Obtaining arbitrary PMs or password hashes  Persistent script injection  CSRF or non-persistent XSS  
Admin attacker8210.10.1
User with manually-granted extra permissions (mod, etc.)10760.250.1
Regular user10870.50.1

Modifiers
Affects dev installation (including beta.bitcointalk.org) only25%, capped at 1 XAU total
Stopped by SELinux, file permissions, etc. in practice10%
Affected functionality currently disabled, but planned to be enabled75%
Problem in the forum's production custom PHP code110%
Security flaw in non-PHP software used by the forum (nginx, Linux, etc.)150%
Someone has already published the flaw in a news article, blog, public forum, etc. with a reasonably high level of detail and specificity50% - 25%, depending on how recently the article was published
Your testing of the vulnerability caused substantial disruptions25%
No proof of concept50%

Rules
- You must disclose the vulnerability only to me. Do not test your vulnerability in such a way that it would give others any information about the vulnerability.
- I must not already know about the vulnerability.
- Your info must actually convince me to make changes. If you give me info that is insufficient to convince me to change things, and then a few months later I get more info from someone else which does convince me to fix the thing that you reported, then you'll likely not be awarded a bounty.
- You must not use your exploit in any malicious way, or use it to read any database info that isn't public except for accounts that you control.
- It must be fairly easy for me to check the validity of your vulnerability. You must have proof of concept code, a live example of the exploit on the forum, or a very detailed description of the vulnerability. You can't just say something like, "Avatars can be used to execute PHP." That's not enough information, and it's very likely that the vulnerability you're talking about won't even affect the forum. Attacks using brute-force, timing, etc. that you can't demonstrate may not be eligible for bounties.
- DoS attacks aren't security vulnerabilities.
- Compromising an admin account is a valid technique, but you can't assume that you will be able to do this.
- Assume that CSRF attacks against the admin console don't work.
- If an exploit is only possible due to a combination of two or more flaws, then the bounty is calculated for each flaw assuming that it alone would succeed in the attack, and you get only the smallest of these bounties.
- You may receive a reward for reporting other security flaws (being able to delete posts when you shouldn't, for example), but these flaws are not covered by this bounty.
- I reserve the right to pay, not pay, or adjust bounties for any reason whatsoever, and to cancel/modify these rules without notice.

Extra bounties

These bounties use a separate system of calculation, but are subject to the same conditions as above.

- 1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.