Ozon launched a bug bounty on HackerOne – Disposable mail news

The reward for each bug found will depend on the degree of its impact on the service, the potential damage that the vulnerability can cause, the quality of the report and other factors

Ozon, one of the largest online stores in Russia, has launched its own program to search for vulnerabilities on the well-known site HackerOne. Since this is the first Russian e-Commerce company, it is hoped that it will set the right path for other projects.

To launch the bug bounty program, Ozon first plans to invest $41,800 in working with researchers searching for vulnerabilities in systems.

At the same time, not only Russian cybersecurity experts but also experts from abroad can participate in the online store program.

According to the company, the launch of the program will provide round-the-clock security monitoring, but it will not cancel the work of the Ozon IT laboratory team in ensuring the security of Ozon services but will complement it. Currently, more than 1,000 engineers work in the Ozon IT lab, and 3.5 million users visit the Ozon website and app every day.

“Now the company has the necessary resources not only to develop its own security services but also to work with the hacker community,” said Ozon.

Today, not many Russian companies resort to an organized search for vulnerabilities. Among these, it is possible to allocate giants like Yandex, Mail.ru and Qiwi. Ozon became the next major project, as the company had resources not only to develop its own security services but also to interact with the community of ethical hackers.

Like programs of other companies, the bug bounty from Ozon involves a cash reward, the amount of which depends on the severity of the bug found. For example, a company can pay about $240 for an XSS hole.

But something more dangerous, such as an RCE vulnerability that leads to remote code execution, can bring the researcher up to 1,600 dollars.

In May, HackerOne representatives said that the platform had paid researchers a total of $100 million over the entire lifetime of the project. And in early July, the list of the most generous HackerOne participating companies became known.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource – Not Your Average Bug Bounty Platform – 10 minute mail

How does Disposable mail Crowdsource get the most skilled ethical hackers of the world to come together and have as broad an impact as possible? The answer – a bug bounty program, but not in the traditional way.

I am Carolin Solskär, Disposable mail Crowdsource Community Manager and I work closely with our ethical hackers to make sure we maintain an awesome experience for all our members with the shared goal to make the Internet more secure. Let’s talk about how Disposable mail Crowdsource is not your average bug bounty platform:

Ethical hackers founded Disposable mail. They built the company on the simple idea that the Internet is broken and that there should be a product to help fix it. This is not an easy mission, and our founders realized that their brainpower was not enough. They needed to involve more people, but could not hire all of them, so they turned to the power of the crowd.

If you find a security bug that impacts hundreds of companies, how would you go about reporting it to every single one?

In your bug bounty efforts, you may stumble upon a finding with a footprint more extensive than just the current asset. It’s something more systemic and may apply to other targets as well, including ones that you cannot legally test on. What would you do?

First, you would begin with finding out whether they have a Responsible Disclosure or a Bug Bounty Program before you run tests. Then for every vulnerable instance, you will need to make an individual report and submit them separately. This part can be extremely time consuming, and you will not reach all targets. Also, it is not likely to generate that much money for you, and the payout is not even always guaranteed.

In other words: this process is not scalable. If the desired outcome is to make the Internet safer, there needs to be a better way of distributing security knowledge.

“As a hacker, I’m a big fan of automation, and automation that periodically rewards you for your past research without lifting the same finger twice is amazing.” – eur0pa, member of Disposable mail Crowdsource

Disposable mail automates the knowledge of 200+ handpicked ethical hackers

As a hacker, you’re already familiar with different scripts and tools to help you with your recon work. Disposable mail automates the reporting of vulnerable instances to vendors on behalf of hackers. When you discover a vulnerability and submit a proof of concept to us, our security researchers will automate it using our sophisticated in-house scanning engines. Those scanning engines will find and validate that vulnerability across our broad range of customers. 

We make hacking scalable 

Disposable mail is not like other bug bounty platforms. Bug bounty programs have made collaborating with hackers more acceptable, but these only benefit one company at a time. Our approach is to source widely applicable research that can be automated to check our entire user base since there are similarities in the tech stacks. In turn, our hackers have a broader impact on Internet security.

Get a recurring reward

And perhaps the most differentiating factor; Disposable mail Crowdsource hackers get paid per hit as long as the module is live. This means that each time you submitted vulnerabilities appear in unique customer assets through Disposable mail services, you collect a bounty. You get a continuous flow of rewards for your work, rather than a one-time lump sum. The more widespread the vulnerability, the more companies you help, and the more money you will make.

“The best part of Disposable mail Crowdsource is that it’s like a passive income. You report one common vulnerability you’ve found and you could get hits on it for months to come” – Streaak, member of Disposable mail Crowdsource

The combo of automation and crowdsourced security will make the Internet safer

In the fingerprinting phase of scanning, we detect what technologies our customers run on their websites. Instead of holding onto this, we share this with our Crowdsource hackers so they can see what types of technology have more instances to check. 

We also guide researchers to submit specific vulnerabilities that we think will affect our users. It could be a vulnerability that we know exists but that we don’t have a proof of concept for, which is the case for some Common Vulnerability and Exposures (CVE). You don’t have to be the original researcher to submit something to the Crowdsource bug bounty program. If you stumble upon a vulnerability online, and we have yet to implement it, we will gladly accept a detailed and well-defined proof of concept.

Bug bounties aren’t just for bug bounty hunters

We are not only looking for full-time bug bounty hunters to join the community. Pentesters, security-interested developers, and security hobbyists are welcome as well. We need diverse skill sets in our network to have a significant impact.

So what are you waiting for? Take our challenge and find out if you got what it takes to join our mission of fixing the Internet! 

Apply to be a part of Disposable mail Crowdsource at https://cs.detectify.com/apply.

“To be honest, what I like the most is to see what modules other researchers are submitting. It pushes me to be a better researcher. For example, sometimes I see modules on frameworks that I’ve tested before. So seeing something new on it makes me think ‘how did I miss that? How could I have found that?’ And then I attempt to reproduce it.” – JR0ch17, member of Disposable mail Crowdsource 


Disposable mail collaborates with ethical hackers to crowdsource security research from the forefront of the industry, so you can check for 2000+ common vulnerabilities. Our testbed includes the OWASP Top 10, security misconfigurations and subdomain takeovers submitted by the Disposable mail Crowdsource community. Try or buy Disposable mail. Sign up today for a 14-day free trial.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Google rewards 100,000$ in bug bounty prize! – Disposable mail news


Google has awarded 100,000 dollars prize to a Dutch researcher Wouter ter Maat for the Google Cloud Platform (GCP), for vulnerabilities found in the Google Cloud Shell.

Wouter ter Maat received 100 thousand dollars, Google’s very first annual Cloud Platform bug-bounty prize by finding a clever container escape and search for bugs.

Google also announced, that then it will be increasing the payouts for annual Google Cloud Platform prizes in its Vulnerability Reward Programme (VRP).
It will offer prizes to the top six vulnerability reports in GCP products submitted in 2020 with a cash prize of up to 313,337 dollars. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars.
In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words.

 The Bug-

Google Cloud Shell is an interactive shell environment for Google Cloud Platform. It is a Linux with a browser-based front, that allows administrators to use various resources in the Google Cloud Platform.

Ter Maat noticed several issues in the cloud shell, the way it interacts with resources and authentication problems.

 “When the Cloud Shell instance is done starting a terminal window is presented to the user,” ter Maat wrote in his write-up published in December. “Noteworthy is the fact that the gcloud client is already authenticated. If an attacker is able to compromise your Cloud Shell, it can access all your GCP resources.”

The researcher could connect to resources after launching the Cloud Shell, and as very few processes were running he was able to enter a container, escape it and access the full host by examining the file system.
“I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.’”

 “This second socket was revealed to be a host-based Docker socket, as indicated by its pathname.
Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he could do that by just writing a quick script.

“After running it you will find that all containers inside the pod will automatically reboot. Now all containers run in privileged mode,” said ter Maat.

Researchers say, if malicious actors gain control of privileged containers, the possibilities for abuse are seemingly endless. They can view software and exploit their vulnerabilities, codes can be re-written, coin miners can be executed and effectively hidden and much more.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How I hacked Facebook and received a $3,500 USD Bug Bounty – 10 minute mail

Find out how our Security Researcher Frans Rosén hacked Facebook and found a stored XSS for which he received a bug bounty reward. 

I recently found a Stored XSS on Facebook, which resulted in a Bug Bounty Reward. If you want to know how an XSS could be exploited, you can read my colleague Mathias’ blog post about it. Anyway, here’s how it went down.

I was actually working on finding flaws on Dropbox to begin with. I noticed that when using their web interface there were some restrictions on what filenames that were allowed. If you tried to rename a file to for example:

'">.txt

it was not possible. You got this error:

Error message

But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems. Using this method I was able to find two issues with their notification messages showing unescaped filenames. I reported these issues to Dropbox, they patched it really fast and I was placed on their Special Thanks page for the responsible disclosure.

It didn’t end here. As I was testing out this stuff on Dropbox, I also tried to figure out how this issue could be connected with other services. I noticed their Facebook-connection and got curious on how it worked. It turned out that they had a pretty nice function going on there:

“Dropbox has teamed up with Facebook so that you can do cool things like add files from Dropbox to your Facebook groups or send shared folder invitations to your Facebook friends.”

Nice! I created a group, and found the connection using the “Add File” icon on the Group wall:

FB Add File

I selected the file that I synced to Dropbox, it was called: '">.txt and shared it. Nothing awesome happened except the file being shared.

But then, I clicked the Share-link on the entry.
Shared link stored XSS

BAM! The title of the entry was not escaped correctly and I was able to get the Stored XSS triggered. By using the files in my Dropbox I could inject script code that was executed on Facebook.com.

I reported this to Facebook directly using their Whitehat Vulnerability Reporting system, told them it was an urgent issue and how I managed to get it executed. The issue was at that time only affecting the Share-popup inside the Group page and could only be triggered by user interaction, serious or not, it was clearly not affecting all users on Facebook.

At the same time I started looking on the URL of this Share-popup:
https://www.facebook.com/ajax/sharer/?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first
This URL did not work if you tried it stand-alone. That was good, the XSS issue looked like it could only be triggered by user interaction. But then I started googling and found that you were able to create a Share-URL by using this format: https://www.facebook.com/sharer/sharer.php?

So I changed my URL to that format:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first

BAM again! If you were logged in into Facebook, the code was executed as soon as you visited the link. Bad. Really bad. I emailed Facebook again, explaining that you could actually trigger the XSS by only visiting a link.

I was also trying out if I could get other services to behave in the same way. Dropbox and Facebook had this special connection, so I was curious if this issue was isolated or if I could reproduce it by using another service.

Went to Pinterest. Created a Pin named:

'">

and shared it on Facebook using my test account. I pressed the Share button on it:

Share Button stored XSS

I was amazed – it had the same issue.

Facebook replied to me, asking me how I was able to place the files on Dropbox with that filename. I explained how this was done and also told them that the service that you shared from didn’t matter, it was a general issue with the escaping that created a vulnerable vector on the Share-page.

They responded and said that it was indeed the same issue and they should look into it ASAP.

In the meantime, I tried the link on different devices. My iPhone could not get the XSS executed. As soon as I visited the page, I was redirected to https://m.facebook.com and that page did not have the same issue. But I also realized that you could force Facebook to skip the redirect by using a parameter called m2w, so if I appended that to the URL:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first&m2w
I was able to trigger the URL on both mobile devices and on desktop. Another email to Facebook.

One day after that I noticed that the POC-link did not work anymore, it was finally patched. I told them I could not reproduce it anymore and it looked like it was fixed.

One day later I got this email:
Facebook Frans Rosen

Nice one!

Date range:

  • Initial report and the POC-link executing the XSS just by visiting: Dec 22
  • Explained the Dropbox-syncing and extended the scope regarding services and devices: Dec 27
  • Vulnerability fixed: Dec 28
  • Received message about the Bug Bounty: Dec 29

Frans Rosén, Security Advisor

 


Disposable mail is a fully automated web security scanner created by some of the world’s best ethical hackers. Give our free trial a whirl and check your website for vulnerabilities like Cross-site scripting »


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail’s Frans Rosén #2 on HackRead’s 10 Famous Bug Bounty Hunters of All Time – 10 minute mail

Disposable mail’s knowledge advisor Frans Rosén has worked with security research for many years, and is a top ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne.

Frans is also a frequent blogger at Disposable mail Labs, where writes about his security research. He talks at security events, raising awareness about information security and sharing his experience as a white hat.

Last week, we were happy to see that HackRead featured Frans on their list of 10 Famous Bug Bounty Hunters of All Time along with security researchers like Roy Castillo, Emily Stark and Shubham Shah.CaptureFrans

See the full list of Hackread’s 10 famous bounty hunters here. 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 5: What is White Hat vs Black Hat hacking? And what is a bug bounty hunter/program? – 10 minute mail

Comparing White Hat to Black Hat hacking is kind of like comparing the good guys to the bad guys. White Hat hackers look for vulnerabilities and report them, whereas Black Hat hackers have a more mischievous agenda. They are the guys you usually see in the movies hacking a bank and stealing money. White Hat hackers are the people working to make the world a safer place – like your favorite team of hackers at Disposable mail!

Comment from our expert:
“White Hat hackers are security consultants and good hearted people that find vulnerabilities on sites and services and report them to the company to prevent them from being hacked in the future. Many companies offer ”Bug Bounty Programs” where they ask White Hackers to try and hack their sites in order to find loopholes, and in return they get a cash award for it.”

“The bigger the security breach they find, the more money the company is willing to pay. Hackers looking for those kinds of bugs and vulnerabilities on sites to get those kinds of awards are referred to as Bug Bounty Hunters,” explains Johan Edholm at Disposable mail.

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the Hacker: Yasin Soliman “The bug bounty community motivates me hugely” – 10 minute mail

One of our latest Disposable mail Crowdsource hackers is Yasin Soliman, a bug bounty hunter from UK, who has been passionate about IT security since a young age. He was our most active researcher in September, so we decided to learn more about the guy behind the 23 submissions (!). We asked Yasin about his interest in security, the first bug he ever reported, and his role models in the security community. 

Tell us a little about yourself; who are you, what do you work with and when did you start hacking?

My name is Yasin “ysx” Soliman, and I’m from the UK. Since a young age I’ve had a passion for information security, but I first became familiar with security research and bug bounty programs back in late 2015.

Driven by the pervasiveness of online technologies, I soon gravitated towards web application security, and six months later filed my first bug report.

Tell us about the first bug you reported.

The first bug I reported was in a HackerOne public program. After thoroughly reviewing the target’s client-side code, I happened across a set of interesting directories intended for the organisation’s customer support team. Further inference led to the discovery of several ‘homemade’ endpoints for support tickets, which led to the disclosure of user submission data. The issue was promptly triaged and remediated in under six hours.

What are your experiences with Bug bounty programs?

I signed up for a profile on HackerOne and Bugcrowd back in December 2015, but struggled to land my first submission for several months.

Over time, I developed awareness of different vulnerability classes and how to compose effective reports, in addition to researching on the Google VRP and other non-platform targets. On that note, I’d strongly recommend having a read of the HackerOne guide on this topic if you’re getting started.

During the course of May this year, I entered the Synack Red Team screening process for web application researchers and proceeded to pass the assessment phases. It wasn’t possible to proceed at that time due to a personal situation, but I look forward to commencing work with Synack in the months ahead.

What motivates you in your bug bounty hunting?

The bug bounty community motivates me hugely. To be part of such a supportive and inclusive network of researchers has a profound effect on my research outcomes. The challenge and thrill of bug bounty hunting, ability to develop income, and opportunities for skill development are definitely motivating factors too.

Do you have any role models in the bug bounty community?

Every day I come across incredible case studies, findings, and writeups. It’s hard to name a few! I frequently follow the research of Frans Rosén, Masato Kinugawa, Ruby Nealon, Jack Cable, Inti De Ceukelaire, Sean (zseano), Ben Sadeghipour, and James Kettle.

Your favorite source for the latest security research?

Nowadays I come across a large portion of research over Twitter, reading researchers’ blog posts (like those above) and the latest news from bug bounty platforms. In addition, the Full Disclosure mailing list often contains informative content.

You have been a very valuable researcher on Disposable mail Crowdsource and submitted many modules of high quality, how come?

After being accepted into the Crowdsource program, I came to strongly value the innovative platform model and emphasis on creativity. Having the opportunity to build proof-of-concept modules for well-known systems – such as WordPress and Joomla – means that customers can benefit from continuously automated discovery. I enjoy working with the Crowdsource team to investigate new apps, plugins, and tools – especially focusing around bypasses, XSSes of various classes and other logic issues.

What makes Crowdsource different from other bug bounty programs from your perspective?

In my view, Crowdsource helps you conduct research with a wider-reaching approach. After finding a vulnerability in a commonly used system, the Crowdsource team help develop your proof-of-concept into a scanner module. For every detection picked up by the continuous Disposable mail scanner, you receive a reward based on the severity and impact of the bug, and can compete with the Crowdsource community on the Leaderboard.

Find out more about Yasin
Twitter: https://twitter.com/SecurityYasin
Personal site: https://ysx.me.uk

Are you interested in joining Yasin and other security researchers on Disposable mail Crowdsource? Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we have explained what we look for in a Disposable mail Crowdsource hacker. 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Guide to Responsible Disclosure and Bug Bounty – 10 minute mail

Responsible disclosure is the foundation of ethical hacking. When Disposable mail employees give talks about what we have learned from hacking well-known companies like Google and Slack, people get confused. Is hacking even legal? What do the companies say when you hack them? Are you going to get sued for going public with a vulnerability you found on Facebook? It all boils down to a policy called Responsible Disclosure, and a monetary reward system called Bug Bounty. We have gathered 10 frequently asked questions about responsible disclosure and bug bounties and explain how it all works.

What does Responsible Disclosure mean?

The concept is exactly what the name suggests; it is a responsible way of disclosing vulnerabilities. When a company implements a Responsible Disclosure Policy, it means that they allow freelance ethical hackers to find and report vulnerabilities to them. It’s a way of saying “It’s okay for you to hack us and report the vulnerabilities that you find on our website. We will not press charges or call the police when we receive your report, but we appreciate your efforts and will act on your findings as long as you do your research in a responsible and ethical way.”

Responsible disclosure guide

What is the difference between Responsible Disclosure and Bug Bounty?

Responsible Disclosure opens the door for ethical hackers to find and report vulnerabilities to you. Bug Bounty, on the other hand, means offering monetary compensation to the ethical hackers who find vulnerabilities. The monetary reward is often based on the severity of the vulnerability, i.e. a typical “Game Over”-vulnerability like Remote Code Execution often pays more than a “simpler” vulnerability.

“How much do you have to pay if you have a Bug Bounty program?” might be your next question. Again, there are no standards to follow here, but a good idea is to go through existing ones for inspiration and benchmarks. A recommendation may be to rate the different types of vulnerabilities and pay the most for the most critical ones. A more experienced and skilled researcher will strategically go for the Bug Bounty programs that pays more, and the budget expectations increases depending on the size of the company. A security researcher will not have the same payout expectations on a local online store compared to large brands like Airbnb or Uber.

How do you set up an Responsible disclosure policy?

1) Before launching a Responsible Disclosure policy, you should first discuss the initiative internally, so that everyone involved is aware of what it means and how it will affect them. Secondly, you need to decide which sites are in scope, i.e. what you would like security researchers to investigate. For example, you might host content on a third-party provider, which means that you can’t get access to their source code and fix the vulnerabilities yourself, you can only ask the researcher to get in touch with them. Or you might have support pages or blogs that should be out of scope, since consequences would be limited even if they were compromised. Determine what is in scope, how the vulnerabilities should be reported, who handles the reports, and what the response process should look like.

2) Set up a page called Responsible Disclosure/Report Vulnerabilities or similar. Describe which pages are in scope,, what types of vulnerabilities can be reported and how researchers should report them.

Here’s a couple of examples of how a Responsible Disclosure page could look:

Tesla responsible disclosure page

Tesla’s responsible disclosure page

Disposable mail's responsible disclosure page

Disposable mail’s responsible disclosure page


3) Set up an easy way for security researchers to contact the right person at your company. You can use [email protected], but remember to decide who will get the emails, so that they do not fall between the cracks, or get forwarded to employees that shouldn’t  get their hands on potentially very sensitive information. (more about this under “Common mistakes”).

4) Decide if you’re going to hand out a so-called “bounty” as a token of appreciation. You can, for example, reward the ethical hacker with money or a t-shirt with a handwritten thank you note. Hackers also appreciate updates on the status of their vulnerability report.

Frans Rosén at Säkerhetsdagen

Photo: Martin Fältström
Disposable mail’s Frans Rosen says that he has never gotten as many t-shirts as when he started with ethical hacking. It’s a common misconception that most ethical hackers are only driven by money – recognition and appreciation are two other important drivers.

What companies use Responsible Disclosure?

Google, PayPal, and other US-based tech companies were early to implement and utilize Responsible Disclosure and Bug Bounty programs. Today, however, the trend has spread and more and more different types of companies open up the possibility of getting help from ethical hacker community.

In Sweden, where Disposable mail is based, several Scandinavian banks such as DanskeBank, Swedbank and Avanza have recently set up Responsible Disclosure policies.

Swedbank's responsible disclosure page

Swedbank’s responsible disclosure page

Many mistake Responsible Disclosure and Bug Bounty for something that only benefits the private sector, but even governmental agencies like the US Army, the US Airforce, and the Pentagon (!) have opened up limited-time bug bounty programs together with platforms like HackerOne. Several Disposable mail security researchers were invited to exclusive hacking trips organised by governmental agencies, which shows that the security mindset shift is not limited to the private sector. The main reason for this is that bug bounty programs pay off. When 1410 ethical hackers were invited to hack the Pentagon, the first bug was reported after only 13 minutes.

Frans Rosén at Hack the Air Force

Mathias Karlsson, one of Disposable mail’s founders, along with Frans Rosén, Disposable mail Security Advisor,  at Hack the Air Force in New York (Photo by HackerOne)

Who does Responsible disclosure and Bug bounty programs attract?

Ethical hackers, white-hat hackers, security researchers or good hackers. That is, people with an interest for security that want help companies and/or earn money legally.

The opposite of white-hat hackers are black-hat hackers who look for vulnerabilities in order to blackmail companies, access corporate secrets, or steal sensitive customer data such as credit card information.

What are the risks associated with Responsible Disclosure?

Unsurprisingly, this is a question we hear very often when we talk about ethical hacking. The thought of opening the door and allowing hackers to find security issues can sound intimidating.

Our recommendation is to use legal advisers to map out any legal risks specific to your case, but here are some important points that might help:

1) Responsible disclosure is all about proving that there is a vulnerability on your site – not exploiting it. The standard guideline is to stop digging immediately after obtaining a “proof of concept”. The ethical hacker should never, ever use the vulnerability to harm the company for their own gain. Remember to formulate your guidelines as explicitly as you can on your Responsible Disclosure page. If a hacker were to ignore the guidelines, this could lead to legal consequences.

Of course, there have been incidents that could be placed in a grey zone, but such situations are usually the result of unclear policies. One well-known example is the One Million Bug incident a few years ago where a security researcher, according to Facebook, went too far in his frustration when Instagram acted too slowly on the bug he had reported.

2) A Responsible disclosure policy should also state that the security researcher should not publicly disclose a vulnerability before it is fixed. If a security flaw is disclosed before it is patched, other hackers could learn about it and use it for malicious purposes.

3) Keep in mind that every skilled security researcher is pretty confident that a black-hat hacker, if they have put their mind to it, will be able to access your systems. By aligning yourself with the security community that is able to keep up with the latest hacker knowledge and attack methods, you can get help and expertise that you cannot find anywhere else.

4) A problem that you might run into, is people reporting vulnerabilities that are not really an issue or are found on websites that are out of scope, and claiming a bounty for it (this is sometimes referred to as a “beg bounty”). Make sure to set up a proper Responsible disclosure page, and refer them to that information.

5) As a developer, it is almost impossible to keep up with all the latest security bugs manually. If Google, Facebook and PayPal are unable to do it, why would your department succeed? Using external help in the form of crowdsourced and automated security or Resp disclosure is a must in a world where technology and black-hat hacker methods are ever-changing.

What is a Security Hall of Fame?

Ethical hackers are often driven by recognition. A Security Hall of Fame is a great way to reward ethical hackers who report vulnerabilities to you, and it also works as a nice motivator for other ethical hackers to surpass the currently listed ones. It is a good option for companies that do not wish to reward security researchers with money.

Setting up a Security Hall of Fame is simple. You simply list the hackers who reported the most serious vulnerabilities to you with their name, social media handle and image.

Spotify Hall of Fame

Check out Spotify’s Hall of Fame, where Disposable mail’s Frans Rosén is listed!

Will the ethical hacker automatically be allowed to go public with the vulnerability as soon as it is patched by the affected company?

No, not necessarily. We usually encourage information sharing as the community’s development depends on researchers sharing knowledge and detailed write-ups. If your patched vulnerability is the subject of a security write-up, this does not mean your brand is not trustworthy. It shows that your company encourages transparency, values security, and can participate in the discussion in a forward-thinking way.

When it comes to disclosure, it is up to you to decide how to set it up. Many companies do not allow the researcher to write about the finding at all, but you can also choose so-called full disclosure or partial disclosure, where not all the technical details are outed.

Slack coverage by The Register

Slack’s quick response to a vulnerability report was praised in the media. This article from The Register is just one example. 

As mentioned above, security flaws do not have to lead to negative PR. An awesome example is when Disposable mail’s Frans Rosén hacked internal messaging tool Slack in 2017, and discovered a method that could give him access to all internal communication. Slack’s CISO responded to his report immediately and within 5 hours on a Friday night (!) the bug was patched. When we, with Slack’s permission, wrote about the event and the media picked up the news, the articles were extremely positive, and Slack were praised for their transparency and quick response time.

Why would an ethical hacker report a vulnerability even if they don’t get paid?

Disposable mail is founded by a group of top ranked white-hat hackers who have reported hundreds, if not thousands, of vulnerabilities, spent hours finding a way to contact the person in charge, and made countless follow-ups to ensure vulnerability is fixed. We asked them the following question: “What drives you to keep doing this, even if you are not paid for it?”

I’m striving for perfection, says Fredrik, 27, Disposable mail founder and an ethical hacker who is listed on countless Security Halls of Fame and has been named Security Expert of the Future by Symantec. I want systems to be perfect, when I use a system or visit an application, I want it to work flawlessly. When it does not, I want to help, I want to get the technology on the internet to work without bugs.

Just like a painter will notice that a badly painted hall, or a designer will notice things they would have done differently in an ad, an IT security-minded person will notice errors or vulnerabilities in your system – whether or not they want to. It’s just there in front of us, and it makes no sense to shut the door when you can allow us to help you, says our security researcher Linus, 18, who started his career by hacking Google legally through Responsible Disclosure at the age of 14. He claims that Google’s positive response and bug bounty program have contributed enormously to developing his security interests.

Hear more from the 100+ ethical hackers Disposable mail works with through our Crowdsource platform, and learn what drives and motivates them.

Common mistakes companies make when implementing Responsible Disclosure?

Keep in mind that the security community is busy, both internationally and locally, and rumors about companies that make mistakes spread rapidly. A very common mistake is that no one responds to the reports even though the company has a responsible disclosure page. Another mistake companies make is to neglect fixing the vulnerabilities reported by researchers. From the perspective of an ethical hacker, this makes a company less attractive and the hacker is unlikely to look for vulnerabilities on their site again. If you implement a responsible disclosure policy, it is important to do it properly and prove that you take security seriously.

How does Disposable mail work with this?

1) Our own Responsible disclosure and Security Hall of Fame
Even though we are founded by ethical hackers who have found critical vulnerabilities in most known tech brands, we are well aware that internal competence is not enough. We have our own responsible disclosure program and Security Hall of Fame and encourage you to report any vulnerabilities, flaws and bugs you come across on our website.

2) We are from the white-hat hacker community
Our story started in the white-hat hacker community and we still work closely with ethical hackers to keep our scanner up to date.

3) Our tool is powered by 100+ ethical hackers
The handpicked security researchers in our platform constantly report their latest findings to us, making sure Disposable mail covers more programming languages and technologies than ever before. Here’s a 1,5-minute video explaining how we work with the world’s best white-hat hackers.

Disposable mail is a web security scanner that performs fully automated tests to identify security issues on websites. Our global network Disposable mail Crowdsource allows us to work side by side with the white-hat hacker community.  When researchers submit newly discovered exploits, we incorporate them into Disposable mail’s automated security service. Every time a reported issue is found on any of our customer’s websites, the researcher is rewarded. Are you interested in joining? Drop us an email: crowdsource [at] detectify.com and we’ll tell you more. 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Bug Bounty and Automation make a formidable pair together – 10 minute mail

It takes more than one security tool to keep an organization or web applications secure against vulnerabilities. Bug bounty programs and automated security scanning are two growing areas in cybersecurity used by many companies today. In this article, we look at how bug bounty programs and automation complement one another to deliver better web application security.

Get the best of both options
Many have already heard of a bug bounty program or automated web security, and may even be running it as part of their security strategy. A bug bounty program invites ethical hackers to report security vulnerabilities on their websites in exchange for a reward, which is often monetary. Automated scanners like Disposable mail are effective at doing a scheduled wide sweep across your web applications to check for common vulnerabilities.

At Disposable mail, the security tests built into our scanner are sourced from our internal team and Disposable mail Crowdsource network of 150+ white hat hackers. These two layers of security complement one another and leverage crowdsourced knowledge to provide improved coverage. We’ve highlighted a few advantages of combining bug bounty programs and automated security testing.

bug bounty and automated security

How Bug Bounty Programs and Automation Complement each other.

 

Maximize the value of your bug bounty program
Automated scanners are effective at auditing your web application security at a wide scope and for detecting low hanging fruit. This allows you to adjust the scope of your bug bounty programs as needed to key focal points. The automated solution can gather the common vulnerabilities like OWASP Top 10, while bug bounty hunters can go deeper into your code and deliver sophisticated hacks like ACME XSS or Upload Policies exploits. At Disposable mail, we have top-ranked ethical hackers on our teams, which means we are able to automate advanced research findings like the aforementioned into our tool.

Continuous coverage
Bug bounty programs have become a great asset to security teams in that they can get help from ethical hackers that’s tailored to their needs. Submissions may come during organized events, like with Bugcrowd or Hackerone, or throughout the year if there’s a public bug bounty program running. Some security teams implement automated security scanners to audit web applications security on a weekly basis in between bug bounty events. This provides constant coverage and catches common flaws that are easily fixed by a developer in a dynamic scanning environment.

Encourage security awareness within the organization
When working with ethical hackers in bug bounty programs or a platform like Disposable mail Crowdsource, you get results of vulnerabilities found, the proof of concept as well as remediation tips. This provides security and developer teams with educational information on how to spot it and also can set a preventative mindset.

Stay at the forefront of security
When a vulnerability submitted by a Disposable mail Crowdsource ethical hacker has been validated by our engineering team, we build it into our tool right away, making it available to all our customers at once. This ensures that knowledge is shared with our entire customer base. We update our tool bi-weekly, keeping all our customers at the forefront of security.

Scanning with an adjustable scope
With Disposable mail, you can set the scanner to check for 1000+ known vulnerabilities on your entire domain or on a specific path or subdomain. This could reduce redundancies of known bugs reported and you can set your bug bounty scope to go after things not in the scope of the Disposable mail tool, often more complex bugs found deeper in a system. You can also include scanning behind login and also checking for subdomain takeovers with our domain monitoring service.

Vulnerabilities detected can be shared with developers
When Disposable mail lists the vulnerabilities found, this information is shown in the tool with guidance on where to find the code error, explanation of each bug and remediation tips. This information is available to all users, which means security teams and developers can access the same information and vulnerabilities can be actioned upon once a scan is completed.

False Negatives found can be built in
If your bug bounty program finds a False Negative, we can build in a security test to the scanner using the Proof of Concept provided by the bug bounty hunters. Your scanner will then be set to monitor for the vulnerability going forward.

Disposable mail is an automated web application security scanner and we work with our Disposable mail Crowdsource community of 150+ ethical hackers to research security tests and improve our tool continuously. Are you ready to trial Disposable mail with your bug bounty program? Sign up for an account and scan with a free trial here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.