OBB: increasing quality and value

Questions or suggestions about the platform
User avatar
x1admin
Site Admin
Posts: 3096
Joined: Sun Nov 15, 2015 7:04 pm

OBB: increasing quality and value

Post by x1admin » Sun Jul 23, 2017 8:24 pm

Hi Folks,

So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!

Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:

1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.

2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.

3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.

4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.

5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.

Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!

Together we make Internet safer, and we shall continue doing so.

hackdemonium
Posts: 63
Joined: Sun Jun 18, 2017 3:33 pm

Re: OBB: increasing quality and value

Post by hackdemonium » Sun Jul 23, 2017 9:07 pm

That's a great step forward for the OBB platform.
Further work suggested by me:
- Eliminate the possibility of bug disclosing before minimum required time. That includes researcher comments (steps to reproduce don't need to be public visible) and forum posts (full working pocs exists in forum threads).
- Increase the amount of communication channels ( that includes a second notification after 30 days and a third 1 week before the end of 90 days period)
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele

Spam404Online
Posts: 297
Joined: Mon Nov 23, 2015 6:43 pm
Contact:

Re: OBB: increasing quality and value

Post by Spam404Online » Sun Jul 23, 2017 9:48 pm

These are some cool changes and I agree with them. Nice work guys :)

xssbuddy
Posts: 4
Joined: Sun Mar 19, 2017 3:04 pm

Re: OBB: increasing quality and value

Post by xssbuddy » Sun Jul 23, 2017 10:01 pm

Very nice.
hackdemonium wrote:
Sun Jul 23, 2017 9:07 pm
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.

hackdemonium
Posts: 63
Joined: Sun Jun 18, 2017 3:33 pm

Re: OBB: increasing quality and value

Post by hackdemonium » Sun Jul 23, 2017 10:14 pm

xssbuddy wrote:
Sun Jul 23, 2017 10:01 pm
Very nice.
hackdemonium wrote:
Sun Jul 23, 2017 9:07 pm
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.
My comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.

0x0luke
Posts: 29
Joined: Sat Feb 25, 2017 12:31 am

Re: OBB: increasing quality and value

Post by 0x0luke » Sun Jul 23, 2017 10:30 pm

It'd be nice if there was a list for the medals, as in, what you have to do to get the medal.

hackdemonium
Posts: 63
Joined: Sun Jun 18, 2017 3:33 pm

Re: OBB: increasing quality and value

Post by hackdemonium » Sun Jul 23, 2017 10:36 pm

hackdemonium wrote:
Sun Jul 23, 2017 10:14 pm
xssbuddy wrote:
Sun Jul 23, 2017 10:01 pm
Very nice.
hackdemonium wrote:
Sun Jul 23, 2017 9:07 pm
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.
My comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.
Further explanation: Users and guests used to click at original poc links (even that a mirror exists). So OBB accidentally is linked with an unwanted site. This sets users and OBB at risk.
Temp Solutions: Implementation of a splash mid-redirect warning page or link removal.

vpq_wtf
Posts: 118
Joined: Mon Apr 25, 2016 3:43 am

Re: OBB: increasing quality and value

Post by vpq_wtf » Mon Jul 24, 2017 12:13 am

Did I miss the reason for the removal of the mass report system?

micomat
Posts: 173
Joined: Tue Mar 07, 2017 7:16 pm

Re: OBB: increasing quality and value

Post by micomat » Mon Jul 24, 2017 5:26 am

good job! i like the removal of full disclosure, but can you remove it from the button-labeling too?

my experience shows that twitter notification is a pretty good way. so why limiting that to VIP submissions only? i have more "standard" submitted reports with successful notification (manually) on twitter than VIP.

User avatar
x1admin
Site Admin
Posts: 3096
Joined: Sun Nov 15, 2015 7:04 pm

Re: OBB: increasing quality and value

Post by x1admin » Mon Jul 24, 2017 8:31 am

Hi Folks,

Thanks for your ideas and replies!

One by one:

1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.

2) We are currently improving notifications. Twitter notification can be increased, but not too much - to avoid spam. Same for emails.

3) Currently thinking how to blacklist websites with illegal content or with malware (as they will quite unlikely patch the vulnerabilities).

4) Inactive medals are in profiles, anything we can make more clear or describe better?

5) Mass reporting is back, but please use with caution and care (we need quality and patches, not quantity).

6) FD is removed everywhere, probably some cache remains, but will disappear shortly.

Thanks for your input!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests