BugBounty.site Public Launch
About 2 months ago, I started to code multiple different tools and brainstorm different ideas on how to make my bug bounty life easier. One of the code I wrote was a small search engine that allowed for looking up AWS bucket based on a company name. After I coded that project, I launched it publicly and announced it on Twitter:
Soon after that, I was approached by AWS team because they liked the idea but had some questions regarding it. Overall, it was a fun experience talking with them and exchanging different ideas on how this product could be made better. During my talk with the AWS team, they raised an extremely valuable concern. This scanner is suppose to run scan every 48 hours and update the search engine accordingly but what if this was misused? When it was initially launched, it was open to everyone. This meant anyone could use it without the service monitoring who was using it. This raised a concern that what if someone uses this tool and then threatens a company for extortion? Despite the fact that all the companies in the search engine have a public bug bounty program, a hacker who has no prior experience of bug bounty programs could easily misuse it.
After the talk ended, I followed up with AWS team through emails and exchanged some ideas. As a result of which, I came to conclusion that if my intended user base are ethical hackers specially bug bounty hunters why not have a check that will make sure it is a bug bounty hunter. That is when official idea of bugbounty.site was born.
As of today, tools.bugbounty.site is officially removed and will migrate to https://bugbounty.site.
There were multiple ways I could have verified if a user was a bug bounty hunter or not. I could have made a simple invite only system that will be open for hackers who would be selected manually. However, this without any doubt was going to have some bias decisions so I decided to completely remove that from an option. Second option was to use each platforms as a basis of signup. This could be done manually through helps of platforms or automatically depending on how each platforms work. I did not want to hassle any program to change their code or help me verify hackers so instead I automated verification process.
About 1 year ago, I had made a small FB messenger bot called HackerOne Bot. It was a small bot that had multiple features and would pull data from HackerOne's website. Due to this, I was extremely familiar with the responses of different pages on the website. After that, I browsed other websites to see if I could use them as well to verify users but sadly, most of these platforms did not have an easier way of pulling hacker information except for getting the url and then checking the html output. Additionally, with idea from @Rhynorater, I had recently released a website tool that will allow you to get a embeddable version of a HackerOne profile. So, in the end I decided to use HackerOne for my user verification.
Verification ProcessThe verification process for https://bugbounty.site is simple and easy. In order to be a member of BugBounty.site and get access to inner tools (not the ones that are public or open sourced) you will need to meet one requirement: have a reputation that is greater than 200. Initially, I made it to check for reputation higher than 100 but I realized that by default a HackerOne user will likely have a 100 reputation and additionally, I wanted to make sure it will be an active user. If you have 200 reputation or higher, there is likely chance that you are active or have been active.
Once you meet the requirement, you go to the signup page and put your username. After that, you are provided with a UUID which you have to put in your HackerOne profile:
Once you add the given UUID to your bio, you can verify the profile. To verify the profile the website will grab JSON format of your HackerOne user profile and make sure you have a valid UUID in the bio. Once that checks out, you will be provided with your login UUID (this is required every time you login).
Throughout the whole process, the website does not ask you for any private information like emails or even ask you to put a password. I did not want to use password or emails as means of identification because I did not want to save any critical PII in the database. The only PII that is saved in the DB is your login uuid.
If you check the image uploaded above, you can see that during the verification there is small checkbox that you can select. It says: "I want to signup for beta testing new features". Most of the projects outside of bugbounty.site are open sourced, including the manual scanner (originally scan.bugbounty.site)*. Manual scanner is something that I update weekly with new features, new tools or sometimes a slight small text changes. In case where I have a major update coming for example a total change in the code base, an extremely important new recon tool etc, beta users will have an early access to it. After releasing the tool to beta users for 15 days, it will be publicly released/updated on GitHub.
Not all users will be selected for beta access. This is because, the number of beta users needed will depend heavily on how many updates I release. Due to time constraint if I release 1 tool per month, then I will not need many beta testers. If you apply for beta access, you can easily identify if you are a beta user or not by checking the apps section. Non-beta users will have access to public apps open for all users. Beta users will have access to apps that specifically highlight that they are for beta users only:
*Manual Scanner is still a work in progress and will be open sourced in about 20 days (maximum)