OBB: increasing quality and value

[hackdemonium]

I wanna share a new idea:
OBB has a large amount of subscribers. They expecting security alerts for their sites, to make them safer. Its ridiculous, after a report someone to state that a user violates any ruler/laws. So..
A new TOS.
Submissions will be split in three parts.
-Subscribers
If a website owner wants to use this service a detailed TOS will be filled - Site verification needed. This must be cover any misuse from OBB users, and other things like permission of submission for the named vulnerabilities (XSS type reflected, XSS type Dom, OR and more)
Service will be free. If a site owner wants to reward a researcher it up to them. An abuse/flag button must exists.
**more work needed here**
-Sites having RD program
A huge amount of this kind of sites exists. A notification after user submission will be served with a link to official RD page, so he can fetch any info.
(the above two cases will be domains that listed publicity etc XSS at acme.tld)
-3d parties
This covers everything else. The submission will remain hidden and domain will be listed as *******.tld
A unique url must be created (unpredictable) and report will locked. Site will be notified only at generic emails or emails provided by the user. It's upon site owner to unlock report (by accepting the TOS for the particularity submission - Site verification needed) or delete it and place his/her site as "dontwant" or in other words (do no not test me). This domains will be blacklisted from further submission (auto deletion).
**more work needed here**

Ele

[x1admin]

Thanks for great ideas. Actually, simplified version of this already exists as a private submission: https://www.openbugbounty.org/open-bug-bounty/

We are currently doing the following:

1) Removing malware websites from the project (% is very small, but still). Researchers statistics will not be affected.

2) Implementing a mechanism to restrict submitting illegal or malware websites (as chances that the vulnerability will be fixed are very small).

3) Running mass check of all submissions we have - expect a jump of global number of fixed vulnerabilities ;]

Once done, we will continue with all these topics!

[d1m0ck]

Hi Folks,

Thanks for your ideas and replies!

One by one:

1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.

Hi Team,

I cannot open / disclose reports from /onhold/ panel, but I can open / disclose reports via my /reports/id page who have not yet come out minimum disclosure time.

[x1admin]

Hi Folks,

Thanks for your ideas and replies!

One by one:

1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.

Hi Team,

I cannot open / disclose reports from /onhold/ panel, but I can open / disclose reports via my /reports/id page who have not yet come out minimum disclosure time.

thanks for info

[x1admin]

Hi Folks,

So, everything is done. Please report any bugs here.

Among other changes:

1) Notification by email is significantly reinforced.

2) Notification by Twitter will become more frequent and reliable.

3) Websites with malware are not accepted anymore.

For the notification system changes suggested above, we will probably keep it "as is" for the moment. It's very tricky to reliably verify website owner's legitimacy on our side (e.g. free hostings with the same (sub)domain for different users) and we prefer to keep our independence - no intervention between the site owner and researcher.

If you have any suggestions on more improvements - they are welcome!

[micomat]

great job
thanks!

[micomat]

one more thing...
often the admins wanto to see the reports displayed as "patched" once fixed.
so i think it should be possible to "open" a patched report even before the 30days reached. sometimes hard to explain why it's still on hold.

[x1admin]

Hi Folks,



Since now, we do not accept vulnerabilities on websites with overt obscenities, strong pornography and other materials that may be inappropriate for the general audience. Such website will probably never fix the vulnerability and therefore it doesn’t make sense to report vulns on them.



All previous submissions of such type were removed (only unpatched), however all researcher statistics were not changed.



Please avoid submitting such websites in the future.

[Aayushg416]

How to find vulnerability ??
my Site is http://discoutdeals.com/ is there is any way to find and remove that can anyone help me ??

[micomat]

there is no report for this domain?
if you received an email from obb, pls follow instructions there.