Making OBB even better in 2019

Questions or suggestions about the platform
User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm
Making OBB even better in 2019

Post by x1admin » Fri Jan 04, 2019 3:26 pm

Hi Folks,



We need your creativity and experience to make OBB even better in 2019! We have some time available early this year to add new cool features and useful options to the project.



We are looking for your ideas on how to:

Improve existing features
Add new features



To make OBB even a better place for:

Website owners
Security researchers
Cybersecurity community



Please write your ideas here. The best ideas – will be all implemented, their authors – will get a special OBB badge, unlimited kudos and respect =)



Don’t hesitate to suggest crazy things – we are here to innovate and boost crowd security testing!

User avatar
GordSchramm
Posts:164
Joined:Thu Apr 28, 2016 11:26 pm

Re: Making OBB even better in 2019

Post by GordSchramm » Sat Jan 05, 2019 9:52 pm

x1admin wrote:
Fri Jan 04, 2019 3:26 pm
Hi Folks,



We need your creativity and experience to make OBB even better in 2019! We have some time available early this year to add new cool features and useful options to the project.



We are looking for your ideas on how to:

Improve existing features
Add new features



To make OBB even a better place for:

Website owners
Security researchers
Cybersecurity community



Please write your ideas here. The best ideas – will be all implemented, their authors – will get a special OBB badge, unlimited kudos and respect =)



Don’t hesitate to suggest crazy things – we are here to innovate and boost crowd security testing!
Hi Admin,

One thing I would like to see is a real time notification of a reply to a forum comment if that is possible.

Regards,

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: Making OBB even better in 2019

Post by metamorfosec_id » Sun Jan 06, 2019 6:26 am

Improve existing features
  • Add sort function in Reported Vulnerabilities and On Hold Vulnerabilities Sections. Current sort function is only for sorting Patch Status and only in On Hold Vulnerabilities Section. Maybe this feature should be in Reported Vulnerabilities Section too. If possible, we also should be able to sort submissions based on domain, vulnerability type, submission date, etc.
  • Add position number in Top Researchers Feature. Current feature does not include the number, so that the researchers must count manually to know where is his/her current position.
  • Enforce bounty for websites in Open Bug Bounty Programs List. I see most websites in the list stated that “No possible awards”. If no award or bounty, why the website can be listed in Open Bug Bounty Programs? I also contacted from a website owner and replied me “Thanks for your bug bounty”. I thought he should give me the bounty, not me. I think he misinterpreted the term of “bounty” with alerts from OpenBugBounty. In the end, no bounty to me.
  • Remove Send Notifications Button if Verify Patch Button clicked. This is because we do not need to notify website owner again once the vulnerability already patched.
  • Validate submission form. About 4 weeks ago I tested the submission form by entering invalid URL and free text in Comment Section. The result is the platform informed that the URL entered was not invalid. However, this submission already sent and appeared in Pending Submissions. So, maybe the form must not send any submissions if any invalid input in the fields detected.
  • Improve patch checker. This is to reduce incorrect patches that potentially to confuse website owners and violate coordinate disclosure policy.
  • Improve website types inspection. If I do not forget, at least two of my submissions marked as porn, but actually they are not. On the other hand, I see submissions from other researchers can be categorized as porn websites, but approved by OBB Team.
  • Provide Total Unique Websites and Total Unique VIP Websites in Research Statistics. This is to encourage researchers to find vulnerability in different websites. For example, if I submitted example.com, x.example, com, and y.example.com with different vulnerable parameters, then I just counted have submitted to one unique website only. Any associated badge for Total Unique Websites and Total Unique VIP Websites also could be considered.
  • Inform which emails that sent successfully and failed to send for email notifications. I contacted by a website owner that angry with me because she did not receive the alerts, but I included the webmaster email as a security contact. Because of no feature that informed which emails that sent and failed, so that I did not have a proof.
  • Data visualization in Research Statistics for domain extension submitted. This is just for fun. Sometimes I want to check my submissions for specific domain extension, for example .org. I usually use Search Feature with *.org and my username. However, this is only can answer about my latest submissions for specific domain extensions, not total number of them. By providing data visualization, I will get the total number of my submissions for .com, .org, etc faster with nice graphics.
Add a new feature

White list. I at least contacted by 3 website owners and they informed that they will release new websites on planned date. So, I think it is not worthy to submit any vulnerability again for their websites until their new websites launched on planned date. This feature could be initiating manually by researcher by sending email to OBB Team with screenshot of email from website owners as a proof. OBB Team then will decide to include the websites in the white list or not.

Keep up the good work...
Regards.

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: Making OBB even better in 2019

Post by secuninja » Sun Jan 06, 2019 4:18 pm

- add a "news" section outside the forums
- add a "my profile" link in the upper menu
- make it possible to re-hide reports
- add a discussion option for program owned website reports
- make rejected reports editable

keep up the good work :)

User avatar
GordSchramm
Posts:164
Joined:Thu Apr 28, 2016 11:26 pm

Re: Making OBB even better in 2019

Post by GordSchramm » Sat Jan 12, 2019 2:36 am

How about making the header always visible, even when scrolling?....overlay??

rootxed
Posts:8
Joined:Sun Sep 23, 2018 4:11 pm

Re: Making OBB even better in 2019

Post by rootxed » Wed Jan 23, 2019 4:10 pm

Hello,
Here is a few ideas that can maybe make OBB better.
(I'm recent in the community and that's my personal experience.)

For Bug hunter:
-A "Proof Of Concept" field in Vulnerability Details to add POC videos because it could help to explain some vulnerabilities.
- Make the Open BugBounty Programs List more easy to understand by listing Websites and not the Company Name.
- Add a direct link to the BugBounty program for VIP submissions, so you don't have to look for the company behind the BugBounty program to see the conditions of the program.
-Encourage website owners to reward by explaining the bugbounty principle. Or at least thank the searchers.

For Website owner:
-Send the alert in several languages. (The languages can be chosen by the researcher)
-Make a page to explain the principle and operation of OpenBugBounty.org
-Ask for a minimum of interaction to keep a V.I.P program. Because there are some programs that no longer patch vulnerabilities and others that no longer even communicate with searchers.

Babiel
Posts:3
Joined:Wed Jun 06, 2018 3:50 pm

Re: Making OBB even better in 2019

Post by Babiel » Wed Mar 27, 2019 8:34 am

It would be great if it was possible to list full domain names on your bugbounty site, e.g. www.site.com, and not just site.com. IMHO site.com too often gets confused with *.site.com.

Also, it would be good for researchers to be able to sort the "Open BugBounty Programs List" (https://www.openbugbounty.org/bugbounty-list/) by name, verified domain number, total bugs, fixed bugs and unfixed bugs.

78622cc46a7c4ef
Posts:8
Joined:Mon Jun 18, 2018 12:42 pm

Re: Making OBB even better in 2019

Post by 78622cc46a7c4ef » Mon Apr 08, 2019 7:32 am

There are many bug bounty programs on openbugbounty.org. Some websites give possible awards like payments, recommendation, HAF, Some don't. Website owner mentions possible award in the description of bug bounty program. There should be one feature for filtering bug bounty programs on the bases of possible awards (like payment, HAF, recommendation), This will help a lot to security researchers for finding bug bounty program according to their need.

78622cc46a7c4ef
Posts:8
Joined:Mon Jun 18, 2018 12:42 pm

Re: Making OBB even better in 2019

Post by 78622cc46a7c4ef » Mon Apr 29, 2019 10:05 am

Hello I have a suggestion.
There are some bug bounty programs (registered On openbugbounty) who also want to receive all vulnerabilities including XSS, Open redirect, CSRF and Improper access control. But we can't report other vulnerabilities except XSS,CSRF,open redirect and Improper access control on Openbugbounty. And on their bugbounty page we didn't find their contact to report other vulnerabilities. So my suggestion is make it compulsory to publish contact email id on their bug bounty page.

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: Making OBB even better in 2019

Post by secuninja » Sat May 04, 2019 3:21 pm

could you somehow improve the dupe filter?
i see so many dupes, tired of reporting them as such in forums...
or bring a "dupe check" button to life.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 2 guests