OBB: increasing quality and value
-
- Posts:63
- Joined:Sun Jun 18, 2017 3:33 pm
I wanna share a new idea:
OBB has a large amount of subscribers. They expecting security alerts for their sites, to make them safer. Its ridiculous, after a report someone to state that a user violates any ruler/laws. So..
A new TOS.
Submissions will be split in three parts.
-Subscribers
If a website owner wants to use this service a detailed TOS will be filled - Site verification needed. This must be cover any misuse from OBB users, and other things like permission of submission for the named vulnerabilities (XSS type reflected, XSS type Dom, OR and more)
Service will be free. If a site owner wants to reward a researcher it up to them. An abuse/flag button must exists.
**more work needed here**
-Sites having RD program
A huge amount of this kind of sites exists. A notification after user submission will be served with a link to official RD page, so he can fetch any info.
(the above two cases will be domains that listed publicity etc XSS at acme.tld)
-3d parties
This covers everything else. The submission will remain hidden and domain will be listed as *******.tld
A unique url must be created (unpredictable) and report will locked. Site will be notified only at generic emails or emails provided by the user. It's upon site owner to unlock report (by accepting the TOS for the particularity submission - Site verification needed) or delete it and place his/her site as "dontwant" or in other words (do no not test me). This domains will be blacklisted from further submission (auto deletion).
**more work needed here**
Ele
OBB has a large amount of subscribers. They expecting security alerts for their sites, to make them safer. Its ridiculous, after a report someone to state that a user violates any ruler/laws. So..
A new TOS.
Submissions will be split in three parts.
-Subscribers
If a website owner wants to use this service a detailed TOS will be filled - Site verification needed. This must be cover any misuse from OBB users, and other things like permission of submission for the named vulnerabilities (XSS type reflected, XSS type Dom, OR and more)
Service will be free. If a site owner wants to reward a researcher it up to them. An abuse/flag button must exists.
**more work needed here**
-Sites having RD program
A huge amount of this kind of sites exists. A notification after user submission will be served with a link to official RD page, so he can fetch any info.
(the above two cases will be domains that listed publicity etc XSS at acme.tld)
-3d parties
This covers everything else. The submission will remain hidden and domain will be listed as *******.tld
A unique url must be created (unpredictable) and report will locked. Site will be notified only at generic emails or emails provided by the user. It's upon site owner to unlock report (by accepting the TOS for the particularity submission - Site verification needed) or delete it and place his/her site as "dontwant" or in other words (do no not test me). This domains will be blacklisted from further submission (auto deletion).
**more work needed here**
Ele
Re: OBB: increasing quality and value
Thanks for great ideas. Actually, simplified version of this already exists as a private submission: https://www.openbugbounty.org/open-bug-bounty/
We are currently doing the following:
1) Removing malware websites from the project (% is very small, but still). Researchers statistics will not be affected.
2) Implementing a mechanism to restrict submitting illegal or malware websites (as chances that the vulnerability will be fixed are very small).
3) Running mass check of all submissions we have - expect a jump of global number of fixed vulnerabilities ;]
Once done, we will continue with all these topics!
We are currently doing the following:
1) Removing malware websites from the project (% is very small, but still). Researchers statistics will not be affected.
2) Implementing a mechanism to restrict submitting illegal or malware websites (as chances that the vulnerability will be fixed are very small).
3) Running mass check of all submissions we have - expect a jump of global number of fixed vulnerabilities ;]
Once done, we will continue with all these topics!
Re: OBB: increasing quality and value
Hi Team,
I cannot open / disclose reports from /onhold/ panel, but I can open / disclose reports via my /reports/id page who have not yet come out minimum disclosure time.
Re: OBB: increasing quality and value
Re: OBB: increasing quality and value
Hi Folks,
So, everything is done. Please report any bugs here.
Among other changes:
1) Notification by email is significantly reinforced.
2) Notification by Twitter will become more frequent and reliable.
3) Websites with malware are not accepted anymore.
For the notification system changes suggested above, we will probably keep it "as is" for the moment. It's very tricky to reliably verify website owner's legitimacy on our side (e.g. free hostings with the same (sub)domain for different users) and we prefer to keep our independence - no intervention between the site owner and researcher.
If you have any suggestions on more improvements - they are welcome!
So, everything is done. Please report any bugs here.
Among other changes:
1) Notification by email is significantly reinforced.
2) Notification by Twitter will become more frequent and reliable.
3) Websites with malware are not accepted anymore.
For the notification system changes suggested above, we will probably keep it "as is" for the moment. It's very tricky to reliably verify website owner's legitimacy on our side (e.g. free hostings with the same (sub)domain for different users) and we prefer to keep our independence - no intervention between the site owner and researcher.
If you have any suggestions on more improvements - they are welcome!
Re: OBB: increasing quality and value
great job
thanks!
thanks!
Re: OBB: increasing quality and value
one more thing...
often the admins wanto to see the reports displayed as "patched" once fixed.
so i think it should be possible to "open" a patched report even before the 30days reached. sometimes hard to explain why it's still on hold.
often the admins wanto to see the reports displayed as "patched" once fixed.
so i think it should be possible to "open" a patched report even before the 30days reached. sometimes hard to explain why it's still on hold.
Re: OBB: increasing quality and value
Hi Folks,
Since now, we do not accept vulnerabilities on websites with overt obscenities, strong pornography and other materials that may be inappropriate for the general audience. Such website will probably never fix the vulnerability and therefore it doesn’t make sense to report vulns on them.
All previous submissions of such type were removed (only unpatched), however all researcher statistics were not changed.
Please avoid submitting such websites in the future.
Since now, we do not accept vulnerabilities on websites with overt obscenities, strong pornography and other materials that may be inappropriate for the general audience. Such website will probably never fix the vulnerability and therefore it doesn’t make sense to report vulns on them.
All previous submissions of such type were removed (only unpatched), however all researcher statistics were not changed.
Please avoid submitting such websites in the future.
-
- Posts:1
- Joined:Sat Sep 02, 2017 10:26 am
Re: OBB: increasing quality and value
How to find vulnerability ??
my Site is http://discoutdeals.com/ is there is any way to find and remove that can anyone help me ??
my Site is http://discoutdeals.com/ is there is any way to find and remove that can anyone help me ??
Re: OBB: increasing quality and value
there is no report for this domain?
if you received an email from obb, pls follow instructions there.
if you received an email from obb, pls follow instructions there.
Who is online
Users browsing this forum: No registered users and 2 guests