Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Free Bugs Campaign
Search
8ayac
March 11, 2019
Technology
0
940
Free Bugs Campaign
Burp Suite Japan LT Carnivalの登壇資料
8ayac
March 11, 2019
Tweet
Share
More Decks by 8ayac
See All by 8ayac
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
8ayac
0
1.8k
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
8ayac
0
550
Other Decks in Technology
See All in Technology
サンドボックス技術でAI利活用を促進する
koh_naga
0
200
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
240
2025年夏 コーディングエージェントを統べる者
nwiizo
0
140
これでもう迷わない!Jetpack Composeの書き方実践ガイド
zozotech
PRO
0
320
Android Audio: Beyond Winning On It
atsushieno
0
110
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
nagisa53
10
3.1k
Obsidian応用活用術
onikun94
2
480
Practical Agentic AI in Software Engineering
uzyn
0
100
品質視点から考える組織デザイン/Organizational Design from Quality
mii3king
0
200
20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABACで実現.pdf
yhana
3
550
未経験者・初心者に贈る!40分でわかるAndroidアプリ開発の今と大事なポイント
operando
5
370
大「個人開発サービス」時代に僕たちはどう生きるか
sotarok
20
9.9k
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
520
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
How to train your dragon (web standard)
notwaldorf
96
6.2k
The World Runs on Bad Software
bkeepers
PRO
70
11k
The Cult of Friendly URLs
andyhume
79
6.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
840
Fireside Chat
paigeccino
39
3.6k
GitHub's CSS Performance
jonrohan
1032
460k
Transcript
None
: -> @8ayac (Twitter/HackerOne/Flickr) 2 PSIRT (’18/04~) MBSD Cybersecurity Challenges
(’17/’18) GitLab Bug Bounty Program - Hall of Fame 7 (2018) 45 BugHunt / (←New!) CWE CWE-79 / CWE-400 Follow @8ayac 1
Follow @8ayac 2
Free Bugs Campaign Follow @8ayac 3
Free Hugs Campaign ※ Follow @8ayac 4
None
None
Burp Pro Cy-PSIRT HackerOne Follow @8ayac 7
CVE-XXXX-XXXX … ( Burp Pro ) Follow @8ayac 8
None
Follow @8ayac 10
Follow @8ayac 11
None
None
Follow @8ayac 14
Follow @8ayac 15
+ DEMO + α Stored XSS(1) - $0 - $0
Stored XSS(2) - $0 Free Bugs Campaign Follow @8ayac 16
None
OSS GitLab Issue Tracker / ✨ Follow @8ayac 18
None
Title: Issue Stored XSS Issue Type: XSS(CWE-79) Severity: High(7~8.9) Affected
Versions: 11.3.x < 11.3.1 11.2.x < 11.2.4 11.1.x < 11.1.7 Report: https://hackerone.com/reports/384255 Follow @8ayac 20
None
https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2 Follow @8ayac 22
None
Follow @8ayac 24
Follow @8ayac 25
Follow @8ayac 26
Follow @8ayac 27
GitLab Public Program 10 Follow @8ayac 28
Title: Issue Type: Information Exposure Through Browser Caching(CWE-525) Severity: Medium
Affected Versions: 11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/407763 Follow @8ayac 29
None
https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e Follow @8ayac 31
None
Follow @8ayac 33
Follow @8ayac 34
Follow @8ayac 35
Follow @8ayac 36
Follow @8ayac 37
Follow @8ayac 38
Follow @8ayac 39
Follow @8ayac 40
Follow @8ayac 41
Follow @8ayac 42
Public Program Private Follow @8ayac 43
Title: Stored XSS Issue Type: XSS(CWE-79) Severity: High Affected Versions:
11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/409380 Follow @8ayac 44
None
Follow @8ayac 46
None
None
GitLab Public Program ! !(Low $1000) : https://hackerone.com/gitlab/policy_versions?change=3597572# Follow @8ayac
49
Follow @8ayac 50
Follow @8ayac 51
Follow @8ayac 52
Follow @8ayac 53
Follow @8ayac 54
Follow @8ayac 55
Follow @8ayac 56
None
None
@zseano : Are you submitting bugs for free when others
are being paid?... Follow @8ayac 59
Follow @8ayac 60
Private Private Researcher Follow @8ayac 61
Private Private Researcher Follow @8ayac 62
Free Bugs Campaign : Public Private Follow @8ayac 63
Follow @8ayac 64
Follow @8ayac 65
None
$500 ( ) “Private Program” GitLab ( HackEDU) 100 Burp
( ) Follow @8ayac 67
☺