OBB: increasing quality and value

[x1admin]

Hi Folks,

So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!

Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:

1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.

2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.

3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.

4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.

5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.

Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!

Together we make Internet safer, and we shall continue doing so.

[hackdemonium]

That's a great step forward for the OBB platform.
Further work suggested by me:
- Eliminate the possibility of bug disclosing before minimum required time. That includes researcher comments (steps to reproduce don't need to be public visible) and forum posts (full working pocs exists in forum threads).
- Increase the amount of communication channels ( that includes a second notification after 30 days and a third 1 week before the end of 90 days period)
- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele

[Spam404Online]

These are some cool changes and I agree with them. Nice work guys

[xssbuddy]

Very nice.

- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele

Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.

[hackdemonium]

Very nice.

- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele

Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.

My comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.

[0x0luke]

It'd be nice if there was a list for the medals, as in, what you have to do to get the medal.

[hackdemonium]

Very nice.

- Reports: Auto blacklist/reject reporting sites that hosting illegal content (Sometimes our tools fetch sites of this kind and we are lazy to verify the original content)
Ele

Nice ideas except the last one : define which content is legal or illegal. That's the problem. The line between legal and illegal is thin and differs from countries. A vulnerability affect websites/servers not content. My 2 cents.

My comment covers only "universal" illegal, like drugs, terrorism, child porn, malware hosting etc.

Further explanation: Users and guests used to click at original poc links (even that a mirror exists). So OBB accidentally is linked with an unwanted site. This sets users and OBB at risk.
Temp Solutions: Implementation of a splash mid-redirect warning page or link removal.

[vpq_wtf]

Did I miss the reason for the removal of the mass report system?

[micomat]

good job! i like the removal of full disclosure, but can you remove it from the button-labeling too?

my experience shows that twitter notification is a pretty good way. so why limiting that to VIP submissions only? i have more "standard" submitted reports with successful notification (manually) on twitter than VIP.

[x1admin]

Hi Folks,

Thanks for your ideas and replies!

One by one:

1) Minimum disclosure time is already implemented - you cannot disclose in less than 90 days, or 30 if the vulnerability is patched.

2) We are currently improving notifications. Twitter notification can be increased, but not too much - to avoid spam. Same for emails.

3) Currently thinking how to blacklist websites with illegal content or with malware (as they will quite unlikely patch the vulnerabilities).

4) Inactive medals are in profiles, anything we can make more clear or describe better?

5) Mass reporting is back, but please use with caution and care (we need quality and patches, not quantity).

6) FD is removed everywhere, probably some cache remains, but will disappear shortly.

Thanks for your input!