Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Free Bugs Campaign
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
8ayac
March 11, 2019
Technology
970
0
Share
Free Bugs Campaign
Burp Suite Japan LT Carnivalの登壇資料
8ayac
March 11, 2019
More Decks by 8ayac
See All by 8ayac
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
8ayac
0
1.9k
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
8ayac
0
650
Other Decks in Technology
See All in Technology
MySQL 9.7がやってきた ~これまでのあらすじと基本情報~ @ 日本MySQLユーザ会会2026年04月 / mysql97-yattekita
sakaik
0
150
Google Cloud Next '26 の裏でこっそりリリースされたCloud Number Registry & Cloud Hub コスト分析 を試してみた
hikaru1001
0
130
自動テストだけで リリース判断できるチームへ - 鍵はテストの量ではなくリリース判断基準の再設計にあった / Redesigning Release Criteria for Lightweight Releases
ewa
0
120
アクセシビリティはすべての人のもの
tomokusaba
0
170
20260428_Product Management Summit_tadokoroyoshiro
tadokoro_yoshiro
15
17k
要件定義の精度を高めるための型と生成AIの活用 / Using Types and Generative AI to Improve the Accuracy of Requirements Definition
haru860
0
230
これからの「データマネジメント」の話をしよう
sansantech
PRO
0
180
バイブコーディングで3倍早く⚪⚪を作ってみた
samakada
0
200
AgentCore Managed Harness を使ってみよう
yakumo
2
280
Shipping AI Agents — Lessons from Production
vvatanabe
0
300
20260423_執筆の工夫と裏側 技術書の企画から刊行まで / From the planning to the publication of technical book
nash_efp
3
690
社内エンジニア勉強会の醍醐味と苦しみ/tamadev
nishiuma
0
270
Featured
See All Featured
What does AI have to do with Human Rights?
axbom
PRO
1
2.1k
Optimizing for Happiness
mojombo
378
71k
So, you think you're a good person
axbom
PRO
2
2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.9k
We Are The Robots
honzajavorek
0
220
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
130
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Mobile First: as difficult as doing things right
swwweet
225
10k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
280
Done Done
chrislema
186
16k
Being A Developer After 40
akosma
91
590k
エンジニアに許された特別な時間の終わり
watany
106
240k
Transcript
None
: -> @8ayac (Twitter/HackerOne/Flickr) 2 PSIRT (’18/04~) MBSD Cybersecurity Challenges
(’17/’18) GitLab Bug Bounty Program - Hall of Fame 7 (2018) 45 BugHunt / (←New!) CWE CWE-79 / CWE-400 Follow @8ayac 1
Follow @8ayac 2
Free Bugs Campaign Follow @8ayac 3
Free Hugs Campaign ※ Follow @8ayac 4
None
None
Burp Pro Cy-PSIRT HackerOne Follow @8ayac 7
CVE-XXXX-XXXX … ( Burp Pro ) Follow @8ayac 8
None
Follow @8ayac 10
Follow @8ayac 11
None
None
Follow @8ayac 14
Follow @8ayac 15
+ DEMO + α Stored XSS(1) - $0 - $0
Stored XSS(2) - $0 Free Bugs Campaign Follow @8ayac 16
None
OSS GitLab Issue Tracker / ✨ Follow @8ayac 18
None
Title: Issue Stored XSS Issue Type: XSS(CWE-79) Severity: High(7~8.9) Affected
Versions: 11.3.x < 11.3.1 11.2.x < 11.2.4 11.1.x < 11.1.7 Report: https://hackerone.com/reports/384255 Follow @8ayac 20
None
https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2 Follow @8ayac 22
None
Follow @8ayac 24
Follow @8ayac 25
Follow @8ayac 26
Follow @8ayac 27
GitLab Public Program 10 Follow @8ayac 28
Title: Issue Type: Information Exposure Through Browser Caching(CWE-525) Severity: Medium
Affected Versions: 11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/407763 Follow @8ayac 29
None
https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e Follow @8ayac 31
None
Follow @8ayac 33
Follow @8ayac 34
Follow @8ayac 35
Follow @8ayac 36
Follow @8ayac 37
Follow @8ayac 38
Follow @8ayac 39
Follow @8ayac 40
Follow @8ayac 41
Follow @8ayac 42
Public Program Private Follow @8ayac 43
Title: Stored XSS Issue Type: XSS(CWE-79) Severity: High Affected Versions:
11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/409380 Follow @8ayac 44
None
Follow @8ayac 46
None
None
GitLab Public Program ! !(Low $1000) : https://hackerone.com/gitlab/policy_versions?change=3597572# Follow @8ayac
49
Follow @8ayac 50
Follow @8ayac 51
Follow @8ayac 52
Follow @8ayac 53
Follow @8ayac 54
Follow @8ayac 55
Follow @8ayac 56
None
None
@zseano : Are you submitting bugs for free when others
are being paid?... Follow @8ayac 59
Follow @8ayac 60
Private Private Researcher Follow @8ayac 61
Private Private Researcher Follow @8ayac 62
Free Bugs Campaign : Public Private Follow @8ayac 63
Follow @8ayac 64
Follow @8ayac 65
None
$500 ( ) “Private Program” GitLab ( HackEDU) 100 Burp
( ) Follow @8ayac 67
☺
SiteGround - Reliable hosting with speed, security, and support you can count on.
8ayac
sakaik
hikaru1001
ewa
tomokusaba
tadokoro_yoshiro
haru860
sansantech
samakada
yakumo
vvatanabe
nash_efp
nishiuma
axbom
mojombo
reverentgeek
honzajavorek
ryanjones
jlugia
swwweet
tammyeverts
chrislema
akosma
watany
