BugBounty.site Public Launch

Background

About 2 months ago, I started to code multiple different tools and brainstorm different ideas on how to make my bug bounty life easier. One of the code I wrote was a small search engine that allowed for looking up AWS bucket based on a company name. After I coded that project, I launched it publicly and announced it on Twitter: 

Soon after that, I was approached by AWS team because they liked the idea but had some questions regarding it. Overall, it was a fun experience talking with them and exchanging different ideas on how this product could be made better. During my talk with the AWS team, they raised an extremely valuable concern. This scanner is suppose to run scan every 48 hours and update the search engine accordingly but what if this was misused? When it was initially launched, it was open to everyone. This meant anyone could use it without the service monitoring who was using it. This raised a concern that what if someone uses this tool and then threatens a company for extortion? Despite the fact that all the companies in the search engine have a public bug bounty program, a hacker who has no prior experience of bug bounty programs could easily misuse it. 

After the talk ended, I followed up with AWS team through emails and exchanged some ideas. As a result of which, I came to conclusion that if my intended user base are ethical hackers specially bug bounty hunters why not have a check that will make sure it is a bug bounty hunter. That is when official idea of bugbounty.site was born. 

As of today, tools.bugbounty.site is officially removed and will migrate to https://bugbounty.site.

Planning 

There were multiple ways I could have verified if a user was a bug bounty hunter or not. I could have made a simple invite only system that will be open for hackers who would be selected manually. However, this without any doubt was going to have some bias decisions so I decided to completely remove that from an option. Second option was to use each platforms as a basis of signup. This could be done manually through helps of platforms or automatically depending on how each platforms work. I did not want to hassle any program to change their code or help me verify hackers so instead I  automated verification process. 

About 1 year ago, I had made a small FB messenger bot called HackerOne Bot. It was a small bot that had multiple features and would pull data from HackerOne's website. Due to this, I was extremely familiar with the responses of different pages on the website. After that,  I browsed other websites to see if I could use them as well to verify users but sadly, most of these platforms did not have an easier way of pulling hacker information except for getting the url and then checking the html output. Additionally, with idea from @Rhynorater, I had recently released a website tool that will allow you to get a embeddable version of a HackerOne profile. So, in the end I decided to use HackerOne for my user verification. 

Verification Process

The verification process for https://bugbounty.site is simple and easy. In order to be a member of BugBounty.site and get access to inner tools (not the ones that are public or open sourced) you will need to meet one requirement: have a reputation that is greater than 200. Initially, I made it to check for reputation higher than 100 but I realized that by default a HackerOne user will likely have a 100 reputation and additionally, I wanted to make sure it will be an active user. If you have 200 reputation or higher, there is likely chance that you are active or have been active.

Once you meet the requirement, you go to the signup page and put your username. After that, you are provided with a UUID which you have to put in your HackerOne profile:


Once you add the given UUID to your bio, you can verify the profile. To verify the profile the website will grab JSON format of your HackerOne user profile and make sure you have a valid UUID in the bio. Once that checks out, you will be provided with your login UUID (this is required every time you login). 

Throughout the whole process, the website does not ask you for any private information like emails or even ask you to put a password. I did not want to use password or emails as means of identification because I did not want to save any critical PII in the database. The only PII that is saved in the DB is your login uuid. 

Beta Users

If you check the image uploaded above, you can see that during the verification there is small checkbox that you can select. It says: "I want to signup for beta testing new features". Most of the projects outside of bugbounty.site are open sourced, including the manual scanner (originally scan.bugbounty.site)*. Manual scanner is something that I update weekly with new features, new tools or sometimes a slight small text changes. In case where I have a major update coming for example a total change in the code base, an extremely important new recon tool etc, beta users will have an early access to it. After releasing the tool to beta users for 15 days, it will be publicly released/updated on GitHub. 

Not all users will be selected for beta access. This is because, the number of beta users needed will depend heavily on how many updates I release. Due to time constraint if I release 1 tool per month, then I will not need many beta testers. If you apply for beta access, you can easily identify if you are a beta user or not by checking the apps section. Non-beta users will have access to public apps open for all users. Beta users will have access to apps that specifically highlight that they are for beta users only: 


 Disclaimer: Some of the beta tools might allow auto-exploitation of a vulnerability. In cases like those, usage of tools will be monitored. Those tools will have an eye icon next to them. This is to keep integrity of the app intact to make sure no one misuses it. 

*Manual Scanner is still a work in progress and will be open sourced in about 20 days (maximum) 

Comments

  1. Hi..Good work buddy.
    I was just curious what if someone is doing part time bug bounty and doing it on other platform rather than hackerone,how they can access your platform as they might not be having 200 reputation.

    ReplyDelete
    Replies
    1. I am still working towards adding more verifications but for now because it is faster and more efficient, HackerOne is the only choice of verification for https://bugbounty.site. This does not mean, you are not allowed to use the tools. I will be releasing an open source recon tool in about 2 weeks that anyone can setup and use on their own. https://bugbounty.site will basically be used for early access when the open source recon tool gets updated/upgraded.

      Delete
  2. Hello,
    if we use your platform/tool for private website recon and then definitely logs will generate ..
    are you sure , you will not disclose/attempt our private sites , projects for your own bug bounty.

    ReplyDelete
    Replies
    1. The logs will never be released and most apps will not be monitored. Apps that are monitored have an eye icon next to them. That monitoring is only done to keep track of usage because in case someone misuses it, we can use it to track who did it. Other than that, information of what a user is searching will never be disclosed.

      Delete

Post a Comment

Popular posts from this blog

ReconUI - Open Source Reconnaissance (Alpha version)