Free Bugs Campaign

Transcript

1. View Slide

2. :
   -> @8ayac (Twitter/HackerOne/Flickr)
   2
   PSIRT (’18/04~)
   MBSD Cybersecurity Challenges (’17/’18)
   GitLab Bug Bounty Program - Hall of Fame 7 (2018)
   45
   BugHunt / (←New!)
   CWE
   CWE-79 / CWE-400
   Follow @8ayac 1
   

   View Slide

3. Follow @8ayac 2
   

   View Slide

4. Free Bugs Campaign
   Follow @8ayac 3
   

   View Slide

5. Free Hugs Campaign
   ※
   Follow @8ayac 4
   

   View Slide

6. View Slide

7. View Slide

8. Burp Pro
   Cy-PSIRT
   HackerOne
   Follow @8ayac 7
   

   View Slide

9. CVE-XXXX-XXXX …
   ( Burp Pro )
   Follow @8ayac 8
   

   View Slide

10. View Slide

11. Follow @8ayac 10
    

    View Slide

12. Follow @8ayac 11
    

    View Slide

13. View Slide

14. View Slide

15. Follow @8ayac 14
    

    View Slide

16. Follow @8ayac 15
    

    View Slide

17. + DEMO + α
    Stored XSS(1) - $0
    - $0
    Stored XSS(2) - $0
    Free Bugs Campaign
    Follow @8ayac 16
    

    View Slide

18. View Slide

19. OSS
    GitLab Issue Tracker
    /
    ✨
    Follow @8ayac 18
    

    View Slide

20. View Slide

21. Title: Issue Stored XSS
    Issue Type: XSS(CWE-79)
    Severity: High(7~8.9)
    Affected Versions:
    11.3.x < 11.3.1
    11.2.x < 11.2.4
    11.1.x < 11.1.7
    Report: https://hackerone.com/reports/384255
    Follow @8ayac 20
    

    View Slide

22. View Slide

23. https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2
    Follow @8ayac 22
    

    View Slide

24. View Slide

25. Follow @8ayac 24
    

    View Slide

26. Follow @8ayac 25
    

    View Slide

27. Follow @8ayac 26
    

    View Slide

28. Follow @8ayac 27
    

    View Slide

29. GitLab Public Program
    10
    Follow @8ayac 28
    

    View Slide

30. Title:
    Issue Type: Information Exposure Through Browser Caching(CWE-525)
    Severity: Medium
    Affected Versions:
    11.4.x < 11.4.3
    11.3.x < 11.3.8
    11.2.x < 11.2.7
    Report: https://hackerone.com/reports/407763
    Follow @8ayac 29
    

    View Slide

31. View Slide

32. https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e
    Follow @8ayac 31
    

    View Slide

33. View Slide

34. Follow @8ayac 33
    

    View Slide

35. Follow @8ayac 34
    

    View Slide

36. Follow @8ayac 35
    

    View Slide

37. Follow @8ayac 36
    

    View Slide

38. Follow @8ayac 37
    

    View Slide

39. Follow @8ayac 38
    

    View Slide

40. Follow @8ayac 39
    

    View Slide

41. Follow @8ayac 40
    

    View Slide

42. Follow @8ayac 41
    

    View Slide

43. Follow @8ayac 42
    

    View Slide

44. Public Program
    Private
    Follow @8ayac 43
    

    View Slide

45. Title: Stored XSS
    Issue Type: XSS(CWE-79)
    Severity: High
    Affected Versions:
    11.4.x < 11.4.3
    11.3.x < 11.3.8
    11.2.x < 11.2.7
    Report: https://hackerone.com/reports/409380
    Follow @8ayac 44
    

    View Slide

46. View Slide

47. Follow @8ayac 46
    

    View Slide

48. View Slide

49. View Slide

50. GitLab Public Program !
    !(Low $1000)
    : https://hackerone.com/gitlab/policy_versions?change=3597572#
    Follow @8ayac 49
    

    View Slide

51. Follow @8ayac 50
    

    View Slide

52. Follow @8ayac 51
    

    View Slide

53. Follow @8ayac 52
    

    View Slide

54. Follow @8ayac 53
    

    View Slide

55. Follow @8ayac 54
    

    View Slide

56. Follow @8ayac 55
    

    View Slide

57. Follow @8ayac 56
    

    View Slide

58. View Slide

59. View Slide

60. @zseano
    : Are you submitting bugs for free when others are being paid?...
    Follow @8ayac 59
    

    View Slide

61. Follow @8ayac 60
    

    View Slide

62. Private
    Private
    Researcher
    Follow @8ayac 61
    

    View Slide

63. Private
    Private
    Researcher
    Follow @8ayac 62
    

    View Slide

64. Free Bugs Campaign
    : Public Private
    Follow @8ayac 63
    

    View Slide

65. Follow @8ayac 64
    

    View Slide

66. Follow @8ayac 65
    

    View Slide

67. View Slide

68. $500
    ( )
    “Private Program”
    GitLab
    ( HackEDU)
    100
    Burp ( )
    Follow @8ayac 67
    

    View Slide

69. ☺
    

    View Slide