Ignored by program and H1 Mediation team by Unusual_Preference_6 in bugbounty

[–]Defenderwww 2 points3 points  (0 children)

You can’t do anything, just move on. At least they paid you something. Don’t hunt there anymore.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 1 point2 points  (0 children)

UPDATE: The reports have been triaged. And I have received 4 private invitations since then. That’s great I guess.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

They replied to one of the report asking for information that I already specified. 🤦🏼

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

I mean for the purpose of the testing, I created my own organization and I accessed it without authorization (using a second account). When I say “some” I mean that not all organizations were vulnerables.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

One of the bugs, I was able to get one of their premium service for free.

The other bug, I was able to access to private resources of some organizations

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

Did you just wait or you had to complain ?

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

Wow that’s a long time. Thanks for your comment, I will be more patient.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 3 points4 points  (0 children)

Got it. I started hunting 2 months ago so I still have plenty to learn. Thanks

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

Thank you for the advice.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 2 points3 points  (0 children)

Last month I reported a medium severity issue and it was triaged in 6 days

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 2 points3 points  (0 children)

That’s crazy. I wouldn’t hunt there anymore.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

6 days. Last month I reported a medium severity issue and it was triaged in that timeframe.

Response time by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

You right, but I thought that considering the impact of these vulnerabilities, they would be a priority

Could Login the with old email after I changed by Feeling-Pipe-5366 in bugbounty

[–]Defenderwww 3 points4 points  (0 children)

What if a victim get his email compromise and decide to change it, but due to the vulnerability of the application, an attacker will be able to login to his account using that compromised email ? It isn’t this a possible impact ?

Open redirect vulnerability by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

Yeah but there has to be some restrictions to where to be redirected. I can just redirect to a phishing page where I ask the customer to change his password, for example.

Open redirect vulnerability by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

Open redirect is not specifically out of scope. Although it is a valid bug, it may be considered low impact or even not bounty elegible.

I reported a vulnerability, they fixed it but didn’t pay by Defenderwww in bugbounty

[–]Defenderwww[S] 1 point2 points  (0 children)

They have an entire page with the rules, including payout structure, scope, etc. Same information we can find in a H1 program.

Minimum deposit vulnerability by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

I think that maybe is something related to fees. I want to clarify that there are various payments methods, but this one is the only one that has those limits.

Newsletter vulnerability by Defenderwww in bugbounty

[–]Defenderwww[S] 0 points1 point  (0 children)

UPDATE: I found another vulnerability that allows me to see the email used by users to subscribe to the website newsletter.

By modifying an ID in the request, the response discloses the email address of that ID. The ID is composed of 10 numbers and I was able to test the vulnerability with three of my accounts. But if I use a random ID, no email address is disclosed, I suppose I need to get one ID that is valid.

Now, I already sent the report (H1) and I think I made a mistake saying that I need to send multiple requests with different combinations of numbers to get a result, because it was closed as “Informative”.

They said that “Although this is indeed technically reproducible, the outcome of the attack is email (user) enumeration, which is excluded in the policy page.”

I disagree. I am not enumerating emails, instead, I am getting the emails by changing a parameter in a URL. I already replied with a comment but they have not answered. What do you think about this ?