Page 40 - Hands-On Bug Hunting for Penetration Testers
P. 40

Choosing Your Hunting Ground                                                Chapter 2

            One possible third party in this arrangement is companies such as ZeroDisclo, which we
            mentioned earlier is also associated with the European company YesWeH4ck (and
            BountyFactory). Here's an excerpt from ZeroDisclo's website describing their services:

                 In constant contact with its community of security researchers, YesWeHack can testify
                 that it is complex for a security researcher and therefore, for a whistle-blower to report
                 security flaws -in a coordinated way`to impacted organizations. Especially, if those
                 organizations do not have a bug bounty program registered on BountyFactory.io

                 Discoverers of vulnerabilities often experience difficulties on how to report them to the
                 organizations concerned without disclosing them to a third party and unfortunately direct
                 contact with companies constitutes a legal risk.

                 A long-time partner of the security research community through its founders, YesWeHack
                 is proud to present https://zerodisclo.com/. This non-profit platform provides the technical
                 means and the required environment for all to adopt the coordinated reporting of
                 vulnerabilities commonly known as Coordinated Vulnerability Disclosure.

            In this case, if a researcher found a serious vulnerability for a core internet service (that is,
            JavaScript) but didn't know who to report it to or (more likely) feared legal retribution from
            an affected company, they could visit ZeroDisclo, either through HTTPS or TOR, and fill
            out a form describing the nature of their vulnerability and its technical details. Then
            ZeroDisclo would vet the submission and report it to the affected parties while keeping the
            original discoverer of the vulnerability anonymous.
            If you choose to do this, be careful because you could be breaking program policy. The
            Internet bug bounty Program, discussed in the preceding section, has a specific question in
            its FAQs dedicated to using third-party brokers:

                 Can I report the bug to you via a third-party broker?
                 No. It is unacceptable to share the vulnerability with anyone without the explicit consent
                 of the security team.

            Make sure you consider all your options before submitting through a third-party broker. If
            you decide to use one, take preventative efforts to stay anonymous, such as submitting
            through TOR, to protect yourself.












                                                    [ 25 ]
   35   36   37   38   39   40   41   42   43   44   45