real.de OBB program silently patches.

Questions or suggestions about the platform
Post Reply
rootpentesting
Posts:20
Joined:Wed Jul 06, 2016 12:28 pm
real.de OBB program silently patches.

Post by rootpentesting » Thu Apr 18, 2019 8:10 am

Hey Team,

I was participating in the OBB program of https://www.openbugbounty.org/bugbounty/itsecop/
i found XSS in their main domain real.de Underneath here is the timeline of the submission.

Vulnerability Reported: 4 April, 2019 23:39 GMT
Vulnerability Verified: 4 April, 2019 23:55 GMT
Website Operator Notified via Bug Bounty: 4 April, 2019 23:55 GMT

They never reached out to me, so i got some of their direct contacts send them an email about it and.
Today on 18-4-2019 i checked again and my vuln was silently patched, now this is not good behaviour for a OBB program.
and brings us researchers down in motivation.

Their policy clearly states : Possible Awards:

- PayPal donation
- voucher
- good rating

So i would like to receive this. As i did my work :roll:

Geek_Pwn
Posts:9
Joined:Sun Sep 17, 2017 9:45 pm

Re: real.de OBB program silently patches.

Post by Geek_Pwn » Thu Apr 18, 2019 8:45 am

Same here.
I reported a XSS some months ago and it's silently fixed now.

rootpentesting
Posts:20
Joined:Wed Jul 06, 2016 12:28 pm

Re: real.de OBB program silently patches.

Post by rootpentesting » Thu Apr 18, 2019 8:57 am

That sucks man it appears we both get ripped.

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: real.de OBB program silently patches.

Post by x1admin » Thu Apr 18, 2019 9:04 am

We can't guarantee bounty from website owners but you can rate any program

Geek_Pwn
Posts:9
Joined:Sun Sep 17, 2017 9:45 pm

Re: real.de OBB program silently patches.

Post by Geek_Pwn » Thu Apr 18, 2019 9:07 am

Sadly yes.

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: real.de OBB program silently patches.

Post by secuninja » Thu Apr 18, 2019 9:25 am

x1admin wrote:
Thu Apr 18, 2019 9:04 am
We can't guarantee bounty from website owners but you can rate any program
but you could change the rules for program owners and make a response to the researcher the minimum requirement for participation on OBB.

I agree that you cannot guarantee a bounty but a reply is in my eyes the very least.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests