OBB: increasing quality and value
Hi Folks,
So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!
Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:
1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.
2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.
3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.
4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.
5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.
Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!
Together we make Internet safer, and we shall continue doing so.
So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!
Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:
1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.
2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.
3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.
4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.
5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.
Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!
Together we make Internet safer, and we shall continue doing so.
-
- Posts:63
- Joined:Sun Jun 18, 2017 3:33 pm
Re: OBB: increasing quality and value
That's a great step forward for the OBB platform.
Further work suggested by me:
- Eliminate the possibility of bug disclosing before minimum required time. That includes researcher comments (steps to reproduce don't need to be public visible) and forum posts (full working pocs exists in forum threads).
- Increase the amount of communication channels ( that includes a second notification after 30 days and a third 1 week before the end of 90 days period)
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Further work suggested by me:
- Eliminate the possibility of bug disclosing before minimum required time. That includes researcher comments (steps to reproduce don't need to be public visible) and forum posts (full working pocs exists in forum threads).
- Increase the amount of communication channels ( that includes a second notification after 30 days and a third 1 week before the end of 90 days period)
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: OBB: increasing quality and value
These are some cool changes and I agree with them. Nice work guys
Re: OBB: increasing quality and value
Very nice.
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.hackdemonium wrote: ↑Sun Jul 23, 2017 9:07 pm- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
-
- Posts:63
- Joined:Sun Jun 18, 2017 3:33 pm
Re: OBB: increasing quality and value
My comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.xssbuddy wrote: ↑Sun Jul 23, 2017 10:01 pmVery nice.
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.hackdemonium wrote: ↑Sun Jul 23, 2017 9:07 pm- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Re: OBB: increasing quality and value
It'd be nice if there was a list for the medals, as in, what you have to do to get the medal.
-
- Posts:63
- Joined:Sun Jun 18, 2017 3:33 pm
Re: OBB: increasing quality and value
Further explanation: Users and guests used to click at original poc links (even that a mirror exists). So OBB accidentally is linked with an unwanted site. This sets users and OBB at risk.hackdemonium wrote: ↑Sun Jul 23, 2017 10:14 pmMy comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.xssbuddy wrote: ↑Sun Jul 23, 2017 10:01 pmVery nice.
Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.hackdemonium wrote: ↑Sun Jul 23, 2017 9:07 pm- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele
Temp Solutions: Implementation of a splash mid-redirect warning page or link removal.
Re: OBB: increasing quality and value
Did I miss the reason for the removal of the mass report system?
Re: OBB: increasing quality and value
good job! i like the removal of full disclosure, but can you remove it from the button-labeling too?
my experience shows that twitter notification is a pretty good way. so why limiting that to VIP submissions only? i have more "standard" submitted reports with successful notification (manually) on twitter than VIP.
my experience shows that twitter notification is a pretty good way. so why limiting that to VIP submissions only? i have more "standard" submitted reports with successful notification (manually) on twitter than VIP.
Re: OBB: increasing quality and value
Hi Folks,
Thanks for your ideas and replies!
One by one:
1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.
2) We are currently improving notifications. Twitter notification can be increased, but not too much - to avoid spam. Same for emails.
3) Currently thinking how to blacklist websites with illegal content or with malware (as they will quite unlikely patch the vulnerabilities).
4) Inactive medals are in profiles, anything we can make more clear or describe better?
5) Mass reporting is back, but please use with caution and care (we need quality and patches, not quantity).
6) FD is removed everywhere, probably some cache remains, but will disappear shortly.
Thanks for your input!
Thanks for your ideas and replies!
One by one:
1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.
2) We are currently improving notifications. Twitter notification can be increased, but not too much - to avoid spam. Same for emails.
3) Currently thinking how to blacklist websites with illegal content or with malware (as they will quite unlikely patch the vulnerabilities).
4) Inactive medals are in profiles, anything we can make more clear or describe better?
5) Mass reporting is back, but please use with caution and care (we need quality and patches, not quantity).
6) FD is removed everywhere, probably some cache remains, but will disappear shortly.
Thanks for your input!
Who is online
Users browsing this forum: No registered users and 2 guests