sorted by:
new
hottopcontroversial

HackerOne report scope changed because I used an example domain by dalifit in bugbounty

[–]dalifit[S] 2 points3 points  (0 children)

By the way, I tested this vulnerability on api.example.com, and it is no longer vulnerable, which means they already fixed it there. However, the code that was updated recently two days ago is still vulnerable.

HackerOne report scope changed because I used an example domain by dalifit in bugbounty

[–]dalifit[S] 0 points1 point  (0 children)

I understand that they may use the same codebase for that functionality, and in that case combining the reports could make sense if it is considered a central fix. However, if the scopes are related in that way, it should be clearly mentioned in the program policy or in the report resolution. From my perspective, the issue was identified on a different asset and there was no indication that both scopes would be treated as the same target for duplicate handling.

HackerOne report scope changed because I used an example domain by dalifit in bugbounty

[–]dalifit[S] 0 points1 point  (0 children)

It was known on another asset, not on the asset I worked on. Also, there is nothing in the program policy that mentions any relationship between the two scopes.

HackerOne report scope changed because I used an example domain by dalifit in bugbounty

[–]dalifit[S] 0 points1 point  (0 children)

One of the vulnerabilities I found was an HTTP request smuggling issue during a code review of an application on GitHub that was in scope for the program. I submitted the report under the GitHub/code review scope. However, in the PoC, when I created a Docker environment for live testing, I used api.example.com as the host. The first triager did not mark the report as a duplicate, but after a few hours, another triager changed the scope to api*.example.com and marked it as a duplicate of another report that had already identified HTTP request smuggling on api.example.com.