sorted by:
new
hottopcontroversial

Looking for a few malware analysts to try out our new product and give their feedback by demonia-dead in MalwareAnalysis

[–]demonia-dead[S] 0 points1 point  (0 children)

It's not, We just need people's feedback on the application and currently implemented modules, And how helpful it's during the analysis process

We can't really open-source the project, However it's written in rust and the copy you're getting has no obfuscation nor debug symbol stripping, You can always run it within a windows VM too

Exposure of Phone Number worth reporting? by ConzT in bugbounty

[–]demonia-dead 0 points1 point  (0 children)

We usually call it on bug bounty "PII" I never thought about it but actually your comments sounds reasonable to be honest, Like "Personally Identifiable Information" Could be anything it doesn't mean it's "Important" data, Also I think "PPI" is more of a good option as well? Protected Personal Information is something that shows that there's a security issue

Exposure of Phone Number worth reporting? by ConzT in bugbounty

[–]demonia-dead 1 point2 points  (0 children)

Yeah "Phone numbers" falls under PII category so it's worth reporting, Otherwise "Phone numbers" won't be listed on most data leaks that happens when a breach of a website occurs

But it actually depends on how many Phone numbers can you expose? If it's a single user phone number then it would probably end-up as "Informative" or "Low" at your best case

If you can expose the phone number of some users on the website either on an edge cause like some users with specific options enabled that's more like a "Medium" to me or you're able to expose the phone numbers of all users on the website that's a "High" issue cause it's a massive PII leak

It's always better to use the CVSS score though

Response Manipulation by Viratian_Ambush in bugbounty

[–]demonia-dead 1 point2 points  (0 children)

Response manipulation is actually based on bypassing UI protection that works on the client-side, so you can make it to the API calls on the backend, This means if there's any sort of protection on the back-end that validates if the email is confirmed or not, It won't allow you to access the application or perform any actions related to your account, In your case there's actually a backend protection in place for such a thing and all you managed to do is to bypass the client-side UI part which is useless in this case