diff --git a/CHANGELOG.md b/CHANGELOG.md index 35645a7..9115b26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased + +### Added + +- Added `recommendation`, `reference`, `description`, and `impact` fields to + `hackerone_report` + +### Added + +- The following entities are added: + + | Resources | Entity `_type` | Entity `_class` | + | ------------- | ------------------------- | --------------- | + | Account | `hackerone_account` | `Account` | + | Assessment | `hackerone_assessment` | `Assessment` | + | Organization | `hackerone_organization` | `Organization` | + | Program Asset | `hackerone_program_asset` | `Entity` | + +- The following relationships are added: + + | Source Entity `_type` | Relationship `_class` | Target Entity `_type` | + | ------------------------- | --------------------- | ------------------------- | + | `hackerone_account` | **HAS** | `hackerone_organization` | + | `hackerone_account` | **HAS** | `hackerone_program` | + | `hackerone_account` | **HAS** | `hackerone_program_asset` | + | `hackerone_organization` | **HAS** | `hackerone_program` | + | `hackerone_program_asset` | **HAS** | `hackerone_report` | + | `hackerone_program` | **PERFORMED** | `hackerone_assessment` | + | `hackerone_program` | **IDENTIFIED** | `hackerone_report` | + | `hackerone_program` | **SCANS** | `hackerone_program_asset` | + ## 1.0.0 - 2022-12-21 ### Changed diff --git a/docs/jupiterone.md b/docs/jupiterone.md index d3522df..cc7f6c5 100644 --- a/docs/jupiterone.md +++ b/docs/jupiterone.md @@ -80,18 +80,29 @@ https://github.com/JupiterOne/sdk/blob/main/docs/integrations/development.md The following entities are created: -| Resources | Entity `_type` | Entity `_class` | -| --------- | ------------------- | ----------------------- | -| Finding | `hackerone_report` | `Finding` | -| Service | `hackerone_program` | `Service`, `Assessment` | +| Resources | Entity `_type` | Entity `_class` | +| ------------- | ------------------------- | ----------------------- | +| Account | `hackerone_account` | `Account` | +| Assessment | `hackerone_assessment` | `Assessment` | +| Finding | `hackerone_report` | `Finding` | +| Organization | `hackerone_organization` | `Organization` | +| Program Asset | `hackerone_program_asset` | `Entity` | +| Service | `hackerone_program` | `Service`, `Assessment` | ### Relationships The following relationships are created: -| Source Entity `_type` | Relationship `_class` | Target Entity `_type` | -| --------------------- | --------------------- | --------------------- | -| `hackerone_program` | **HAS** | `hackerone_report` | +| Source Entity `_type` | Relationship `_class` | Target Entity `_type` | +| ------------------------- | --------------------- | ------------------------- | +| `hackerone_account` | **HAS** | `hackerone_organization` | +| `hackerone_account` | **HAS** | `hackerone_program` | +| `hackerone_account` | **HAS** | `hackerone_program_asset` | +| `hackerone_organization` | **HAS** | `hackerone_program` | +| `hackerone_program_asset` | **HAS** | `hackerone_report` | +| `hackerone_program` | **PERFORMED** | `hackerone_assessment` | +| `hackerone_program` | **IDENTIFIED** | `hackerone_report` | +| `hackerone_program` | **SCANS** | `hackerone_program_asset` | ### Mapped Relationships diff --git a/package.json b/package.json index 90dcad7..f191430 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,8 @@ }, "dependencies": { "@lifeomic/attempt": "^3.0.3", - "hackerone-client": "^1.0.7" + "hackerone-client": "^1.0.7", + "node-fetch": "2" }, "peerDependencies": { "@jupiterone/integration-sdk-core": "^8.22.0" diff --git a/src/__recordings__/hackeroneApiKey-auth-error_3684503732/recording.har b/src/__recordings__/hackeroneApiKey-auth-error_3684503732/recording.har index 9a7c57f..c002abc 100644 --- a/src/__recordings__/hackeroneApiKey-auth-error_3684503732/recording.har +++ b/src/__recordings__/hackeroneApiKey-auth-error_3684503732/recording.har @@ -41,7 +41,7 @@ "headers": [ { "name": "date", - "value": "Tue, 20 Dec 2022 17:46:08 GMT" + "value": "Mon, 23 Jan 2023 10:20:14 GMT" }, { "name": "content-type", @@ -53,7 +53,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "www-authenticate", @@ -65,7 +65,7 @@ }, { "name": "x-request-id", - "value": "22b9c8dd-ac19-4075-8796-b09c18877610" + "value": "1c8651f7-88a1-4107-9a2f-497c1c7e53df" }, { "name": "cache-control", @@ -105,7 +105,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -117,17 +117,17 @@ }, { "name": "cf-ray", - "value": "77ca32187d69a038-SLC" + "value": "78dfcbac3a538b75-HKG" } ], - "headersSize": 1490, + "headersSize": 1539, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 401, "statusText": "Unauthorized" }, - "startedDateTime": "2022-12-20T17:46:07.936Z", - "time": 210, + "startedDateTime": "2023-01-23T10:20:13.809Z", + "time": 371, "timings": { "blocked": -1, "connect": -1, @@ -135,7 +135,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 210 + "wait": 371 } } ], diff --git a/src/__recordings__/handle-auth-error_3507045143/recording.har b/src/__recordings__/handle-auth-error_3507045143/recording.har index bd45add..1ea778d 100644 --- a/src/__recordings__/handle-auth-error_3507045143/recording.har +++ b/src/__recordings__/handle-auth-error_3507045143/recording.har @@ -41,7 +41,7 @@ "headers": [ { "name": "date", - "value": "Tue, 20 Dec 2022 17:46:08 GMT" + "value": "Mon, 23 Jan 2023 10:20:13 GMT" }, { "name": "content-type", @@ -53,7 +53,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "www-authenticate", @@ -65,7 +65,7 @@ }, { "name": "x-request-id", - "value": "1f732d4b-f636-4b7f-b93a-37f4927d1925" + "value": "7adf02b4-d3b3-423d-85be-79962386605d" }, { "name": "cache-control", @@ -105,7 +105,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -117,17 +117,17 @@ }, { "name": "cf-ray", - "value": "77ca32145d02a03e-SLC" + "value": "78dfcba9cfe48b75-HKG" } ], - "headersSize": 1490, + "headersSize": 1539, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 401, "statusText": "Unauthorized" }, - "startedDateTime": "2022-12-20T17:46:07.276Z", - "time": 635, + "startedDateTime": "2023-01-23T10:20:13.417Z", + "time": 377, "timings": { "blocked": -1, "connect": -1, @@ -135,7 +135,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 635 + "wait": 377 } } ], diff --git a/src/__recordings__/validate-invocation_3585932400/recording.har b/src/__recordings__/validate-invocation_3585932400/recording.har index db8afbf..c57d208 100644 --- a/src/__recordings__/validate-invocation_3585932400/recording.har +++ b/src/__recordings__/validate-invocation_3585932400/recording.har @@ -35,13 +35,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 8566, - "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}],\"links\":{}}" + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Tue, 20 Dec 2022 17:47:13 GMT" + "value": "Mon, 23 Jan 2023 10:20:27 GMT" }, { "name": "content-type", @@ -53,7 +53,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "vary", @@ -61,11 +61,11 @@ }, { "name": "x-request-id", - "value": "2bb320e9-8246-4b71-93aa-2b5b502060fe" + "value": "0f058a93-aaa7-4550-965d-7055dabd626d" }, { "name": "etag", - "value": "W/\"4799eda051121ea6c4ae2454eebd97a2\"" + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" }, { "name": "cache-control", @@ -105,7 +105,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -117,17 +117,17 @@ }, { "name": "cf-ray", - "value": "77ca33ad6e6ca074-SLC" + "value": "78dfcbfd1fff20e1-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-20T17:47:12.680Z", - "time": 434, + "startedDateTime": "2023-01-23T10:20:26.356Z", + "time": 1286, "timings": { "blocked": -1, "connect": -1, @@ -135,7 +135,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 434 + "wait": 1286 } } ], diff --git a/src/client.ts b/src/client.ts index d03d490..294b8b9 100644 --- a/src/client.ts +++ b/src/client.ts @@ -6,13 +6,22 @@ import { import { IntegrationConfig } from './config'; import { retry } from '@lifeomic/attempt'; -import { Report } from './types'; +import { + HackerOneOrganization, + HackerOneProgram, + HackerOneStructuredScope, + Report, +} from './types'; +import fetch, { Response } from 'node-fetch'; export type ResourceIteratee = (each: T) => Promise | void; export const HACKERONE_CLIENT_404_ERROR = 'StatusCodeError: 404'; // TODO/HACK: Underlying library not re-throwing status codes correctly so this instead does a substring match to detect if a 404 (e.g., no direct access to err.errors[]) export class APIClient { + private baseUrl = 'https://api.hackerone.com/v1/'; private hackeroneClient; + private limit = 50; + constructor(readonly config: IntegrationConfig) { this.hackeroneClient = new HackeroneClient( config.hackeroneApiKey, @@ -20,6 +29,79 @@ export class APIClient { ); } + private withBaseUrl = (path: string) => `${this.baseUrl}${path}`; + + // To query endpoints not supported in hackerone-client + private async request(uri: string): Promise { + try { + const result = await retry( + async () => { + const response = await fetch(uri, { + headers: { + Authorization: `Basic ${Buffer.from( + `${this.config.hackeroneApiKeyName}:${this.config.hackeroneApiKey}`, + ).toString('base64')}`, + }, + }); + if (!response.ok) { + throw new IntegrationProviderAPIError({ + endpoint: uri, + status: response.status, + statusText: response.statusText, + }); + } + return response; + }, + { + delay: 1000, + factor: 2, + maxAttempts: 10, + handleError: (err, context) => { + if ( + err.statusCode !== 429 || + ([500, 400, 401].includes(err.statusCode) && + context.attemptNum > 1) + ) { + context.abort(); + } + }, + }, + ); + return result; + } catch (error) { + throw new IntegrationProviderAPIError({ + endpoint: uri, + status: error.status, + statusText: error.statusText, + }); + } + } + + private async paginatedRequest( + uri: string, + iteratee: ResourceIteratee, + ): Promise { + try { + let current = `${uri}?page[number]=1&page[size]=${this.limit}`; + let response: Response; + do { + response = await this.request(current); + + const { data, links } = await response.json(); + current = links?.last !== links?.self ? links?.next : ''; + + for (const resource of data) await iteratee(resource); + } while (current); + } catch (err) { + throw new IntegrationProviderAPIError({ + cause: new Error(err.message), + endpoint: uri, + status: err.statusCode, + statusText: err.message, + }); + } + } + public async verifyAuthentication(): Promise { try { await this.hackeroneClient.getPrograms(); @@ -71,6 +153,34 @@ export class APIClient { factor: 2, //exponential backoff factor. with 30 sec start and 3 attempts, longest wait is 2 min }); } + + // API key is for a single organization only. Pagination is + // unnecessary but is implemented due to endpoint design. + public async fetchOrganization( + iteratee: ResourceIteratee, + ): Promise { + const url = this.withBaseUrl('me/organizations'); + await this.paginatedRequest(url, iteratee); + } + + public async iteratePrograms( + iteratee: ResourceIteratee, + ): Promise { + const programs = await this.hackeroneClient.getPrograms(); + const { data } = JSON.parse(programs); + + for (const program of data) { + await iteratee(program); + } + } + + public async iterateProgramAsset( + programId: string, + iteratee: ResourceIteratee, + ): Promise { + const url = this.withBaseUrl(`programs/${programId}/structured_scopes`); + await this.paginatedRequest(url, iteratee); + } } let apiClient: APIClient; diff --git a/src/steps/account/converter.ts b/src/steps/account/converter.ts new file mode 100644 index 0000000..ff23b36 --- /dev/null +++ b/src/steps/account/converter.ts @@ -0,0 +1,26 @@ +import { + createIntegrationEntity, + Entity, + IntegrationInstance, +} from '@jupiterone/integration-sdk-core'; +import { IntegrationConfig } from '../../config'; +import { Entities } from '../constants'; + +export function createAccountEntity( + data: IntegrationInstance, +): Entity { + const { config, ...rest } = data; + return createIntegrationEntity({ + entityData: { + source: rest, + assign: { + _key: `hackerone_account`, + _type: Entities.ACCOUNT._type, + _class: Entities.ACCOUNT._class, + name: data.name, + id: data.id, + program: data.config.hackeroneProgramHandle, + }, + }, + }); +} diff --git a/src/steps/account/index.test.ts b/src/steps/account/index.test.ts new file mode 100644 index 0000000..fb85a01 --- /dev/null +++ b/src/steps/account/index.test.ts @@ -0,0 +1,21 @@ +import { executeStepWithDependencies } from '@jupiterone/integration-sdk-testing'; +import { buildStepTestConfigForStep } from '../../../test/config'; +import { Recording, setupProjectRecording } from '../../../test/recording'; +import { Steps } from '../constants'; + +// See test/README.md for details +let recording: Recording; +afterEach(async () => { + await recording.stop(); +}); + +test('fetch-account', async () => { + recording = setupProjectRecording({ + directory: __dirname, + name: 'fetch-account', + }); + + const stepConfig = buildStepTestConfigForStep(Steps.ACCOUNT); + const stepResult = await executeStepWithDependencies(stepConfig); + expect(stepResult).toMatchStepMetadata(stepConfig); +}); diff --git a/src/steps/account/index.ts b/src/steps/account/index.ts new file mode 100644 index 0000000..41016c7 --- /dev/null +++ b/src/steps/account/index.ts @@ -0,0 +1,28 @@ +import { + IntegrationStep, + IntegrationStepExecutionContext, +} from '@jupiterone/integration-sdk-core'; + +import { IntegrationConfig } from '../../config'; +import { ACCOUNT_ENTITY_KEY, Entities, Steps } from '../constants'; +import { createAccountEntity } from './converter'; + +export async function fetchAccount({ + instance, + jobState, +}: IntegrationStepExecutionContext) { + const accountEntity = await jobState.addEntity(createAccountEntity(instance)); + + await jobState.setData(ACCOUNT_ENTITY_KEY, accountEntity); +} + +export const accountSteps: IntegrationStep[] = [ + { + id: Steps.ACCOUNT, + name: 'Fetch Account', + entities: [Entities.ACCOUNT], + relationships: [], + dependsOn: [], + executionHandler: fetchAccount, + }, +]; diff --git a/src/steps/assessment/__recordings__/fetch-assessment_4035391952/recording.har b/src/steps/assessment/__recordings__/fetch-assessment_4035391952/recording.har new file mode 100644 index 0000000..1482028 --- /dev/null +++ b/src/steps/assessment/__recordings__/fetch-assessment_4035391952/recording.har @@ -0,0 +1,301 @@ +{ + "log": { + "_recordingName": "fetch-assessment", + "creator": { + "comment": "persister:JupiterOneIntegationFSPersister", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 219, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 219, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "b870579a-1d21-4a6f-8256-43adfd47f523" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f4bf750f28-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:58.999Z", + "time": 977, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 977 + } + }, + { + "_id": "a22ea652b31729e5daea0e965ed6d97c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 189, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.hackerone.com/v1/me/programs" + }, + "response": { + "bodySize": 8566, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 8566, + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:01 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "226e4d76-ab4d-4a90-b75e-7ef3d44390c4" + }, + { + "name": "etag", + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0fa2ac38b69-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:59.988Z", + "time": 871, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 871 + } + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/src/steps/assessment/converter.ts b/src/steps/assessment/converter.ts new file mode 100644 index 0000000..f309ca0 --- /dev/null +++ b/src/steps/assessment/converter.ts @@ -0,0 +1,22 @@ +import { + createIntegrationEntity, + Entity, +} from '@jupiterone/integration-sdk-core'; +import { Entities } from '../constants'; + +export function createAssessmentEntity(programHandle: string): Entity { + return createIntegrationEntity({ + entityData: { + source: {}, + assign: { + _key: `hackerone_assessment:${programHandle}`, + _type: Entities.ASSESSMENT._type, + _class: Entities.ASSESSMENT._class, + name: programHandle, + category: 'bug-bounty', + summary: `HackerOne Bounty Program for ${programHandle}`, + internal: false, + }, + }, + }); +} diff --git a/src/steps/assessment/index.test.ts b/src/steps/assessment/index.test.ts new file mode 100644 index 0000000..86d6c75 --- /dev/null +++ b/src/steps/assessment/index.test.ts @@ -0,0 +1,21 @@ +import { executeStepWithDependencies } from '@jupiterone/integration-sdk-testing'; +import { buildStepTestConfigForStep } from '../../../test/config'; +import { Recording, setupProjectRecording } from '../../../test/recording'; +import { Steps } from '../constants'; + +// See test/README.md for details +let recording: Recording; +afterEach(async () => { + await recording.stop(); +}); + +test('fetch-assessment', async () => { + recording = setupProjectRecording({ + directory: __dirname, + name: 'fetch-assessment', + }); + + const stepConfig = buildStepTestConfigForStep(Steps.ASSESSMENT); + const stepResult = await executeStepWithDependencies(stepConfig); + expect(stepResult).toMatchStepMetadata(stepConfig); +}); diff --git a/src/steps/assessment/index.ts b/src/steps/assessment/index.ts new file mode 100644 index 0000000..9bf7155 --- /dev/null +++ b/src/steps/assessment/index.ts @@ -0,0 +1,51 @@ +import { + createDirectRelationship, + getRawData, + IntegrationStep, + IntegrationStepExecutionContext, + RelationshipClass, +} from '@jupiterone/integration-sdk-core'; + +import { IntegrationConfig } from '../../config'; +import { HackerOneProgram } from '../../types'; +import { Entities, Relationships, Steps } from '../constants'; +import { createAssessmentEntity } from './converter'; + +export async function fetchAssessments({ + jobState, + logger, +}: IntegrationStepExecutionContext) { + await jobState.iterateEntities( + { _type: Entities.PROGRAM._type }, + async (programEntity) => { + const program = getRawData(programEntity); + + if (!program) { + logger.warn(`Can not get raw data for entity ${programEntity._key}`); + return; + } + + const assessmentEntity = await jobState.addEntity( + createAssessmentEntity(program.attributes.handle), + ); + await jobState.addRelationship( + createDirectRelationship({ + _class: RelationshipClass.PERFORMED, + from: programEntity, + to: assessmentEntity, + }), + ); + }, + ); +} + +export const assessmentSteps: IntegrationStep[] = [ + { + id: Steps.ASSESSMENT, + name: 'Fetch Assessments', + entities: [Entities.ASSESSMENT], + relationships: [Relationships.PROGRAM_PERFORMED_ASSESSMENT], + dependsOn: [Steps.PROGRAMS], + executionHandler: fetchAssessments, + }, +]; diff --git a/src/steps/constants.ts b/src/steps/constants.ts index 919cf23..fc3a541 100644 --- a/src/steps/constants.ts +++ b/src/steps/constants.ts @@ -6,16 +6,41 @@ import { StepRelationshipMetadata, } from '@jupiterone/integration-sdk-core'; +export const ACCOUNT_ENTITY_KEY = 'entity:account'; + export const Steps = { - PROGRAM: 'build-program', + ACCOUNT: 'fetch-account', + ORGANIZATION: 'fetch-organization', + PROGRAMS: 'build-programs', + SERVICE: 'fetch-service', + ASSESSMENT: 'fetch-assessments', + PROGRAM_ASSETS: 'fetch-program-assets', REPORTS: 'fetch-reports', - PROGRAM_REPORTS_RELATIONSHIPS: 'build-program-reports-relationships', + PROGRAM_ASSETS_REPORTS_RELATIONSHIPS: + 'build-program-assets-reports-relationships', }; export const Entities: Record< - 'PROGRAM' | 'REPORT' | 'CVE' | 'CWE', + | 'ACCOUNT' + | 'PROGRAM' + | 'PROGRAM_ASSET' + | 'ORGANIZATION' + | 'ASSESSMENT' + | 'REPORT' + | 'CVE' + | 'CWE', StepEntityMetadata > = { + ACCOUNT: { + resourceName: 'Account', + _type: 'hackerone_account', + _class: ['Account'], + }, + ORGANIZATION: { + resourceName: 'Organization', + _type: 'hackerone_organization', + _class: ['Organization'], + }, PROGRAM: { resourceName: 'Service', _type: 'hackerone_program', @@ -29,6 +54,16 @@ export const Entities: Record< required: ['category', 'handle'], }, }, + PROGRAM_ASSET: { + resourceName: 'Program Asset', + _type: 'hackerone_program_asset', + _class: ['Entity'], // TBD: A better fitting class + }, + ASSESSMENT: { + resourceName: 'Assessment', + _type: 'hackerone_assessment', + _class: ['Assessment'], + }, REPORT: { resourceName: 'Finding', _type: 'hackerone_report', @@ -57,12 +92,61 @@ export const Entities: Record< }; export const Relationships: Record< - 'PROGRAM_REPORTED_FINDING', + | 'PROGRAM_REPORTED_FINDING' + | 'PROGRAM_PERFORMED_ASSESSMENT' + | 'PROGRAM_SCANS_PROGRAM_ASSET' + | 'ACCOUNT_HAS_ORGANIZATION' + | 'ACCOUNT_HAS_PROGRAM_ASSET' + | 'ACCOUNT_HAS_PROGRAM' + | 'PROGRAM_ASSET_HAS_FINDING' + | 'ORGANIZATION_HAS_PROGRAM', StepRelationshipMetadata > = { PROGRAM_REPORTED_FINDING: { _type: 'hackerone_program_reported_finding', sourceType: Entities.PROGRAM._type, + _class: RelationshipClass.IDENTIFIED, + targetType: Entities.REPORT._type, + }, + ACCOUNT_HAS_ORGANIZATION: { + _type: 'hackerone_account_has_organization', + sourceType: Entities.ACCOUNT._type, + _class: RelationshipClass.HAS, + targetType: Entities.ORGANIZATION._type, + }, + ACCOUNT_HAS_PROGRAM_ASSET: { + _type: 'hackerone_account_has_program_asset', + sourceType: Entities.ACCOUNT._type, + _class: RelationshipClass.HAS, + targetType: Entities.PROGRAM_ASSET._type, + }, + ACCOUNT_HAS_PROGRAM: { + _type: 'hackerone_account_has_program', + sourceType: Entities.ACCOUNT._type, + _class: RelationshipClass.HAS, + targetType: Entities.PROGRAM._type, + }, + ORGANIZATION_HAS_PROGRAM: { + _type: 'hackerone_organization_has_program', + sourceType: Entities.ORGANIZATION._type, + _class: RelationshipClass.HAS, + targetType: Entities.PROGRAM._type, + }, + PROGRAM_PERFORMED_ASSESSMENT: { + _type: 'hackerone_program_performed_assessment', + sourceType: Entities.PROGRAM._type, + _class: RelationshipClass.PERFORMED, + targetType: Entities.ASSESSMENT._type, + }, + PROGRAM_SCANS_PROGRAM_ASSET: { + _type: 'hackerone_program_scans_asset', + sourceType: Entities.PROGRAM._type, + _class: RelationshipClass.SCANS, + targetType: Entities.PROGRAM_ASSET._type, + }, + PROGRAM_ASSET_HAS_FINDING: { + _type: 'hackerone_program_asset_has_report', + sourceType: Entities.PROGRAM_ASSET._type, _class: RelationshipClass.HAS, targetType: Entities.REPORT._type, }, @@ -73,14 +157,14 @@ export const MappedRelationships: Record< StepMappedRelationshipMetadata > = { FINDING_EXPLOITS_WEAKNESS: { - _type: 'hackerone_finding_exploits_weakness', + _type: 'hackerone_report_exploits_weakness', sourceType: Entities.REPORT._type, _class: RelationshipClass.HAS, targetType: Entities.CWE._type, direction: RelationshipDirection.FORWARD, }, FINDING_IS_VULNERABILITY: { - _type: 'hackerone_finding_is_vulnerability', + _type: 'hackerone_report_is_vulnerability', sourceType: Entities.REPORT._type, _class: RelationshipClass.HAS, targetType: Entities.CVE._type, diff --git a/src/steps/index.ts b/src/steps/index.ts index 3adcac5..a786b72 100644 --- a/src/steps/index.ts +++ b/src/steps/index.ts @@ -1,6 +1,17 @@ -import { reportSteps } from './report'; +import { accountSteps } from './account'; +import { assessmentSteps } from './assessment'; +import { organizationSteps } from './organization'; import { programSteps } from './program'; +import { programAssetSteps } from './program-asset'; +import { reportSteps } from './report'; -const integrationSteps = [...reportSteps, ...programSteps]; +const integrationSteps = [ + ...accountSteps, + ...organizationSteps, + ...programSteps, + ...programAssetSteps, + ...reportSteps, + ...assessmentSteps, +]; export { integrationSteps }; diff --git a/src/steps/organization/__recordings__/fetch-organization_291669677/recording.har b/src/steps/organization/__recordings__/fetch-organization_291669677/recording.har new file mode 100644 index 0000000..3cd0b45 --- /dev/null +++ b/src/steps/organization/__recordings__/fetch-organization_291669677/recording.har @@ -0,0 +1,170 @@ +{ + "log": { + "_recordingName": "fetch-organization", + "creator": { + "comment": "persister:JupiterOneIntegationFSPersister", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 212, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 212, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "4afef843-8b1e-4cc6-9dfb-d95b7ffe6919" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f4b97ae6a2-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:58.999Z", + "time": 1533, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 1533 + } + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/src/steps/organization/converter.ts b/src/steps/organization/converter.ts new file mode 100644 index 0000000..879c7fa --- /dev/null +++ b/src/steps/organization/converter.ts @@ -0,0 +1,26 @@ +import { + createIntegrationEntity, + Entity, + parseTimePropertyValue, +} from '@jupiterone/integration-sdk-core'; +import { HackerOneOrganization } from '../../types'; +import { Entities } from '../constants'; + +export function createOrganizationEntity(data: HackerOneOrganization): Entity { + return createIntegrationEntity({ + entityData: { + source: {}, + assign: { + _key: `hackerone_organization:${data.id}`, + _type: Entities.ORGANIZATION._type, + _class: Entities.ORGANIZATION._class, + id: data.id, + type: data.type, + name: data.attributes.handle, + handle: data.attributes.handle, + createdOn: parseTimePropertyValue(data.attributes.created_at), + updatedOn: parseTimePropertyValue(data.attributes.updated_at), + }, + }, + }); +} diff --git a/src/steps/organization/index.test.ts b/src/steps/organization/index.test.ts new file mode 100644 index 0000000..d72090d --- /dev/null +++ b/src/steps/organization/index.test.ts @@ -0,0 +1,21 @@ +import { executeStepWithDependencies } from '@jupiterone/integration-sdk-testing'; +import { buildStepTestConfigForStep } from '../../../test/config'; +import { Recording, setupProjectRecording } from '../../../test/recording'; +import { Steps } from '../constants'; + +// See test/README.md for details +let recording: Recording; +afterEach(async () => { + await recording.stop(); +}); + +test('fetch-organization', async () => { + recording = setupProjectRecording({ + directory: __dirname, + name: 'fetch-organization', + }); + + const stepConfig = buildStepTestConfigForStep(Steps.ORGANIZATION); + const stepResult = await executeStepWithDependencies(stepConfig); + expect(stepResult).toMatchStepMetadata(stepConfig); +}); diff --git a/src/steps/organization/index.ts b/src/steps/organization/index.ts new file mode 100644 index 0000000..308e21f --- /dev/null +++ b/src/steps/organization/index.ts @@ -0,0 +1,50 @@ +import { + createDirectRelationship, + Entity, + IntegrationStep, + IntegrationStepExecutionContext, + RelationshipClass, +} from '@jupiterone/integration-sdk-core'; + +import { createAPIClient } from '../../client'; +import { IntegrationConfig } from '../../config'; +import { + ACCOUNT_ENTITY_KEY, + Entities, + Relationships, + Steps, +} from '../constants'; +import { createOrganizationEntity } from './converter'; + +export async function fetchOrganization({ + instance, + jobState, +}: IntegrationStepExecutionContext) { + const apiClient = createAPIClient(instance.config); + const accountEntity = (await jobState.getData(ACCOUNT_ENTITY_KEY)) as Entity; + + await apiClient.fetchOrganization(async (organization) => { + const organizationEntity = await jobState.addEntity( + createOrganizationEntity(organization), + ); + + await jobState.addRelationship( + createDirectRelationship({ + _class: RelationshipClass.HAS, + from: accountEntity, + to: organizationEntity, + }), + ); + }); +} + +export const organizationSteps: IntegrationStep[] = [ + { + id: Steps.ORGANIZATION, + name: 'Fetch Organization', + entities: [Entities.ORGANIZATION], + relationships: [Relationships.ACCOUNT_HAS_ORGANIZATION], + dependsOn: [Steps.ACCOUNT], + executionHandler: fetchOrganization, + }, +]; diff --git a/src/steps/program-asset/__recordings__/fetch-program-assets_2726047112/recording.har b/src/steps/program-asset/__recordings__/fetch-program-assets_2726047112/recording.har new file mode 100644 index 0000000..6198b0f --- /dev/null +++ b/src/steps/program-asset/__recordings__/fetch-program-assets_2726047112/recording.har @@ -0,0 +1,457 @@ +{ + "log": { + "_recordingName": "fetch-program-assets", + "creator": { + "comment": "persister:JupiterOneIntegationFSPersister", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 212, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 212, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "68c654e7-0ce6-45dc-9181-6141fdeb07e8" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f46e150972-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:58.986Z", + "time": 874, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 874 + } + }, + { + "_id": "a22ea652b31729e5daea0e965ed6d97c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 189, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.hackerone.com/v1/me/programs" + }, + "response": { + "bodySize": 8566, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 8566, + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "633732bf-f4df-4d94-9b67-447d0547d8ac" + }, + { + "name": "etag", + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f979490484-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:59.879Z", + "time": 858, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 858 + } + }, + { + "_id": "708ab38f737a8f1a3c1bac76c1a4100d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 378, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/programs/60700/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 1072, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 1072, + "text": "{\"data\":[{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}},{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}},{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}},{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}},{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}},{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}},{\"id\":\"274636\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"blog.jupiterone.com\",\"eligible_for_bounty\":false,\"eligible_for_submission\":false,\"instruction\":null,\"max_severity\":\"none\",\"created_at\":\"2022-12-06T06:48:25.623Z\",\"updated_at\":\"2022-12-06T06:48:25.623Z\",\"reference\":null}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:01 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "9a5b8f0f-cc69-4c30-b3fa-2f8574b2cb05" + }, + { + "name": "etag", + "value": "W/\"a8da2cf553bc7ce6cfd7111bcd24f6a8\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0fcfd820484-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:00.754Z", + "time": 585, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 585 + } + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/src/steps/program-asset/converter.ts b/src/steps/program-asset/converter.ts new file mode 100644 index 0000000..5e773f2 --- /dev/null +++ b/src/steps/program-asset/converter.ts @@ -0,0 +1,36 @@ +import { + createIntegrationEntity, + Entity, + parseTimePropertyValue, +} from '@jupiterone/integration-sdk-core'; +import { HackerOneStructuredScope } from '../../types'; +import { Entities } from '../constants'; + +export function getProgramAssetKey(id: string) { + return `hackerone_asset:${id}`; +} + +export function createProgramAsset(data: HackerOneStructuredScope): Entity { + return createIntegrationEntity({ + entityData: { + source: data, + assign: { + _key: getProgramAssetKey(data.id), + _type: Entities.PROGRAM_ASSET._type, + _class: Entities.PROGRAM_ASSET._class, + id: data.id, + type: data.type, + name: data.attributes.asset_identifier, + assetType: data.attributes.asset_type, + assetIdentifier: data.attributes.asset_identifier, + eligibleForBounty: data.attributes.eligible_for_bounty, + eligibleForSubmission: data.attributes.eligible_for_submission, + instruction: data.attributes.instruction, + maxSeverity: data.attributes.max_severity, + createdOn: parseTimePropertyValue(data.attributes.created_at), + updatedOn: parseTimePropertyValue(data.attributes.updated_at), + references: data.attributes.reference, + }, + }, + }); +} diff --git a/src/steps/program-asset/index.test.ts b/src/steps/program-asset/index.test.ts new file mode 100644 index 0000000..5b7e2e9 --- /dev/null +++ b/src/steps/program-asset/index.test.ts @@ -0,0 +1,21 @@ +import { executeStepWithDependencies } from '@jupiterone/integration-sdk-testing'; +import { buildStepTestConfigForStep } from '../../../test/config'; +import { Recording, setupProjectRecording } from '../../../test/recording'; +import { Steps } from '../constants'; + +// See test/README.md for details +let recording: Recording; +afterEach(async () => { + await recording.stop(); +}); + +test('fetch-program-assets', async () => { + recording = setupProjectRecording({ + directory: __dirname, + name: 'fetch-program-assets', + }); + + const stepConfig = buildStepTestConfigForStep(Steps.PROGRAM_ASSETS); + const stepResult = await executeStepWithDependencies(stepConfig); + expect(stepResult).toMatchStepMetadata(stepConfig); +}); diff --git a/src/steps/program-asset/index.ts b/src/steps/program-asset/index.ts new file mode 100644 index 0000000..b5c60c8 --- /dev/null +++ b/src/steps/program-asset/index.ts @@ -0,0 +1,78 @@ +import { + createDirectRelationship, + Entity, + getRawData, + IntegrationStep, + IntegrationStepExecutionContext, + RelationshipClass, +} from '@jupiterone/integration-sdk-core'; + +import { createAPIClient } from '../../client'; +import { IntegrationConfig } from '../../config'; +import { HackerOneProgram } from '../../types'; +import { + ACCOUNT_ENTITY_KEY, + Entities, + Relationships, + Steps, +} from '../constants'; +import { createProgramAsset } from './converter'; + +export async function fetchProgramAssets({ + instance, + jobState, + logger, +}: IntegrationStepExecutionContext) { + const apiClient = createAPIClient(instance.config); + const accountEntity = (await jobState.getData(ACCOUNT_ENTITY_KEY)) as Entity; + + await jobState.iterateEntities( + { _type: Entities.PROGRAM._type }, + async (programEntity) => { + const program = getRawData(programEntity); + + if (!program) { + logger.warn( + `Can not get raw data for program entity ${programEntity._key}`, + ); + return; + } + + await apiClient.iterateProgramAsset( + program.id, + async (structuredScope) => { + const assetEntity = await jobState.addEntity( + createProgramAsset(structuredScope), + ); + + await jobState.addRelationships([ + createDirectRelationship({ + _class: RelationshipClass.SCANS, + from: programEntity, + to: assetEntity, + }), + createDirectRelationship({ + _class: RelationshipClass.HAS, + from: accountEntity, + to: assetEntity, + }), + ]); + }, + ); + }, + ); +} + +export const programAssetSteps: IntegrationStep[] = [ + { + id: Steps.PROGRAM_ASSETS, + name: 'Fetch Program Assets', + entities: [Entities.PROGRAM_ASSET], + relationships: [ + Relationships.PROGRAM_SCANS_PROGRAM_ASSET, + Relationships.ACCOUNT_HAS_PROGRAM_ASSET, + ], + dependsOn: [Steps.PROGRAMS], + executionHandler: fetchProgramAssets, + }, +]; diff --git a/src/steps/program/__recordings__/fetch-program_4078576282/recording.har b/src/steps/program/__recordings__/fetch-program_4078576282/recording.har new file mode 100644 index 0000000..fe0218c --- /dev/null +++ b/src/steps/program/__recordings__/fetch-program_4078576282/recording.har @@ -0,0 +1,301 @@ +{ + "log": { + "_recordingName": "fetch-program", + "creator": { + "comment": "persister:JupiterOneIntegationFSPersister", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 212, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 212, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "59513ef1-c8a8-4d05-bec6-1b9b9a88130d" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f4b8bf045a-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:59.046Z", + "time": 890, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 890 + } + }, + { + "_id": "a22ea652b31729e5daea0e965ed6d97c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 189, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.hackerone.com/v1/me/programs" + }, + "response": { + "bodySize": 8566, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 8566, + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "127047c8-edc1-4f50-bedb-d573d95ee09d" + }, + { + "name": "etag", + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f9fb6504f5-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:59.949Z", + "time": 783, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 783 + } + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/src/steps/program/converter.ts b/src/steps/program/converter.ts index 9754de7..360a890 100644 --- a/src/steps/program/converter.ts +++ b/src/steps/program/converter.ts @@ -1,17 +1,21 @@ import { createIntegrationEntity, Entity, + parseTimePropertyValue, } from '@jupiterone/integration-sdk-core'; +import { HackerOneProgram } from '../../types'; import { Entities } from '../constants'; -export function createProgramEntity(programHandle: string): Entity { +export function createProgramEntity(data: HackerOneProgram): Entity { + const programHandle = data.attributes.handle; return createIntegrationEntity({ entityData: { - source: {}, + source: data, assign: { _key: `hackerone:${programHandle}`, _type: Entities.PROGRAM._type, _class: Entities.PROGRAM._class, + id: data.id, name: `HackerOne Bounty Program for ${programHandle}`, displayName: `HackerOne Bounty Program for ${programHandle}`, summary: `HackerOne Bounty Program for ${programHandle}`, @@ -19,6 +23,9 @@ export function createProgramEntity(programHandle: string): Entity { function: ['other'], handle: programHandle, internal: false, + policy: data.attributes.policy, + createdOn: parseTimePropertyValue(data.attributes.created_at), + updatedOn: parseTimePropertyValue(data.attributes.updated_at), }, }, }); diff --git a/src/steps/program/index.test.ts b/src/steps/program/index.test.ts index e0e7197..68f35c2 100644 --- a/src/steps/program/index.test.ts +++ b/src/steps/program/index.test.ts @@ -15,7 +15,7 @@ test('fetch-program', async () => { name: 'fetch-program', }); - const stepConfig = buildStepTestConfigForStep(Steps.PROGRAM); + const stepConfig = buildStepTestConfigForStep(Steps.PROGRAMS); const stepResult = await executeStepWithDependencies(stepConfig); expect(stepResult).toMatchStepMetadata(stepConfig); }); diff --git a/src/steps/program/index.ts b/src/steps/program/index.ts index 0c51507..58d07ce 100644 --- a/src/steps/program/index.ts +++ b/src/steps/program/index.ts @@ -1,32 +1,63 @@ import { + createDirectRelationship, + Entity, IntegrationStep, IntegrationStepExecutionContext, + RelationshipClass, } from '@jupiterone/integration-sdk-core'; +import { createAPIClient } from '../../client'; import { IntegrationConfig } from '../../config'; -import { Entities, Steps } from '../constants'; +import { + ACCOUNT_ENTITY_KEY, + Entities, + Relationships, + Steps, +} from '../constants'; import { createProgramEntity } from './converter'; -export const PROGRAM_ENTITY_KEY = 'entity:program'; - -export async function buildProgram({ +export async function fetchPrograms({ instance, jobState, }: IntegrationStepExecutionContext) { - const accountEntity = await jobState.addEntity( - createProgramEntity(instance.config.hackeroneProgramHandle), - ); + const apiClient = createAPIClient(instance.config); + const accountEntity = (await jobState.getData(ACCOUNT_ENTITY_KEY)) as Entity; - await jobState.setData(PROGRAM_ENTITY_KEY, accountEntity); + await jobState.iterateEntities( + { _type: Entities.ORGANIZATION._type }, + async (organizationEntity) => { + await apiClient.iteratePrograms(async (program) => { + const programEntity = await jobState.addEntity( + createProgramEntity(program), + ); + + await jobState.addRelationships([ + createDirectRelationship({ + _class: RelationshipClass.HAS, + from: organizationEntity, + to: programEntity, + }), + createDirectRelationship({ + _class: RelationshipClass.HAS, + from: accountEntity, + to: programEntity, + }), + ]); + }); + }, + ); } export const programSteps: IntegrationStep[] = [ { - id: Steps.PROGRAM, - name: 'Build Program', + id: Steps.PROGRAMS, + name: 'Build Programs', entities: [Entities.PROGRAM], - relationships: [], - dependsOn: [], - executionHandler: buildProgram, + relationships: [ + Relationships.ORGANIZATION_HAS_PROGRAM, + Relationships.ACCOUNT_HAS_PROGRAM, + ], + dependsOn: [Steps.ORGANIZATION], + executionHandler: fetchPrograms, }, ]; diff --git a/src/steps/report/__recordings__/fetch-report_149750992/recording.har b/src/steps/report/__recordings__/build-program-assets-reports-relationships_1633966692/recording.har similarity index 73% rename from src/steps/report/__recordings__/fetch-report_149750992/recording.har rename to src/steps/report/__recordings__/build-program-assets-reports-relationships_1633966692/recording.har index 8973e2d..23a6289 100644 --- a/src/steps/report/__recordings__/fetch-report_149750992/recording.har +++ b/src/steps/report/__recordings__/build-program-assets-reports-relationships_1633966692/recording.har @@ -1,12 +1,455 @@ { "log": { - "_recordingName": "fetch-report", + "_recordingName": "build-program-assets-reports-relationships", "creator": { "comment": "persister:JupiterOneIntegationFSPersister", "name": "Polly.JS", "version": "6.0.5" }, "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 212, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 212, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:12 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "660bec2e-4c2e-47ae-acaf-2cdafb32ce66" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb1441b5e0448-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:12.138Z", + "time": 468, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 468 + } + }, + { + "_id": "a22ea652b31729e5daea0e965ed6d97c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 189, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.hackerone.com/v1/me/programs" + }, + "response": { + "bodySize": 8566, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 8566, + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:13 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "9dfbbd20-9f5f-41ab-8cf5-b91ab8a5d2c1" + }, + { + "name": "etag", + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb147887210a2-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:12.614Z", + "time": 461, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 461 + } + }, + { + "_id": "708ab38f737a8f1a3c1bac76c1a4100d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 378, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/programs/60700/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 1112, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 1112, + "text": "{\"data\":[{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}},{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}},{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}},{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}},{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}},{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}},{\"id\":\"274636\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"blog.jupiterone.com\",\"eligible_for_bounty\":false,\"eligible_for_submission\":false,\"instruction\":null,\"max_severity\":\"none\",\"created_at\":\"2022-12-06T06:48:25.623Z\",\"updated_at\":\"2022-12-06T06:48:25.623Z\",\"reference\":null}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:14 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "705dd779-39da-49c6-a548-3a30d6a04451" + }, + { + "name": "etag", + "value": "W/\"a8da2cf553bc7ce6cfd7111bcd24f6a8\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb14a0b6b10a2-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:13.084Z", + "time": 655, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 655 + } + }, { "_id": "cdb20c629ba520c8f92fdb847b1b594a", "_order": 0, @@ -44,13 +487,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 135165, - "text": "{\"data\":[{\"id\":\"1795020\",\"type\":\"report\",\"attributes\":{\"title\":\"Demo report: XSS in JupiterOne demo H1B home page\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T17:18:15.515Z\",\"vulnerability_information\":\"In some ***fantasy world***, the home page of JupiterOne demo H1B is vulnerable to an *imaginary* Cross-Site Scripting attack.\\n\\n1. Visit home page of JupiterOne demo H1B\\n2. Open the browser's javascript console\\n3. Type `alert(/xss!/)` and press enter\\n4. Profit!\\n\\n## Impact\\n\\nIn our fantasy world, exploiting this vulnerability allows us to run an external script on your website that for example steals the cookies of the users that's facing the XSS and thus gaining access to the account of the victim.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T17:18:16.437Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T17:18:16.437Z\",\"last_activity_at\":\"2022-12-09T17:18:16.437Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"2522558\",\"type\":\"user\",\"attributes\":{\"username\":\"ninetreats00\",\"name\":\"Sam Andrus\",\"disabled\":false,\"created_at\":\"2022-12-06T17:18:09.499Z\",\"profile_picture\":{\"62x62\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"82x82\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"110x110\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"260x260\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":null,\"website\":null,\"location\":null,\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"weakness\":{\"data\":{\"id\":\"1450\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Absolute Path Traversal\",\"description\":\"An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \\\"..\\\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.\",\"external_id\":\"capec-597\",\"created_at\":\"2022-07-06T18:59:45.367Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794559\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup SQL file lingering on https://ops.jupiterone.com/\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:51:29.205Z\",\"vulnerability_information\":\"The JupiterOne demo Ops website - `ops.jupiterone.com` has a lingering SQL backup file that is\\npublicly accessible and downloadable. The file contains a SQL database backup that contains\\nprivileged user information and secret keys.\\n# Steps to Reproduce\\n- Head over to https://ops.jupiterone.com/tmp/backup.sql\\n- Inspect the raw SQL. E.g. search for `encryption_key` or `password`.\\n# PoC\\nhttps://ops.jupiterone.com/tmp/backup.sql:\\n{F2063870}\\n\\n# Remediation\\nEnsure the file is removed from the server or protected with a proper authentication mechanism\\nthat prevents unprivileged users from accessing this sensitive information.\\n\\n## Impact\\n\\nAny customer of JupiterOne demo that has this system will be\\nimpacted by this vulnerability. An attacker could easily gain access to whatever they are\\ntrying to protect by exploiting this vulnerability.\",\"triaged_at\":\"2022-12-06T06:51:29.423Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:29.929Z\",\"first_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"last_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:29.929Z\",\"last_activity_at\":\"2022-12-09T06:51:29.929Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"4954\",\"type\":\"user\",\"attributes\":{\"username\":\"demo-member\",\"name\":\"Demo Member\",\"disabled\":false,\"created_at\":\"2014-04-14T11:45:00.949Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":\"I'm here to help test drive, and am automatically removed at launch.\",\"website\":null,\"location\":\"testing\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770233\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:29.279Z\",\"score\":10.0,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"changed\"}}},\"weakness\":{\"data\":{\"id\":\"18\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Disclosure\",\"description\":\"An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.\",\"external_id\":\"cwe-200\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794558\",\"type\":\"report\",\"attributes\":{\"title\":\"Private Data - Mass account takeovers using HTTP Request Smuggling on qa.jupiterone.com to steal session cookies\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:27.360Z\",\"vulnerability_information\":\"Hi JupiterOne demo Security Team!\\nMy name is cosmo and I'm a first time bug hunter to your platform. I decided to take a little of my time and gently perform recon on your platform. Specifically the area of interest I focus in is HTTP Request Smuggling. I developed tooling to actively target some advanced HTTP Smuggling exploits and ran it on your in-scope assets. In my research I stumbled across a finding that I consider extremely critical not only for JupiterOne demo but for all customers and organizations which share their privatedata/channels/conversations on JupiterOne demo.\\n\\n### Steps to Reproduce\\n\\nThe bug chain is as follows:\\n1) HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on JupiterOne demob.com\\n2) Request Hijack forces victim HTTP requests to instead use GET https://\\u003cURL\\u003e HTTP/1.1 on JupiterOne demob.com\\n3) A request of GET https://\\u003cURL\\u003e HTTP/1.1 on the backend server socket results in a 301 redirect to https://\\u003cURL\\u003e with JupiterOne demo cookies (most importantly the d cookie)\\n4) Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined \\u003cURL\\u003e in the attack\\n5) Me (if I were evil) collects massive amounts of d session cookies and steals any/all possible JupiterOne demo user/organization data from victim sessions\\n\\n### Remediation\\n\\nTo fix this you need to use HTTP/2 for back-end connections, as this protocol prevents ambiguity about the boundaries between requests.\\nThe front-end server processes the Content-Length header and determines that the request body is 13 bytes long, up to the end of SMUGGLED. This request is forwarded on to the back-end server.\\n\\nThe back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The following bytes, SMUGGLED, are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence.\\n\\n## Impact\\n\\nSo it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly issue this attack, jump onto the victim session and steal all possible data within reach.\\nI am really happy I found this for you guys so that it can be dealt with ASAP. I really hope there haven't been any attacks on customers using this vulnerability.\\nBest Wishes,\\ncosmo\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.732Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.732Z\",\"last_activity_at\":\"2022-12-09T06:51:52.732Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770232\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:27.437Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"86\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Request Smuggling\",\"description\":\"When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to \\\"smuggle\\\" a request to one device without the other device being aware of it.\",\"external_id\":\"cwe-444\",\"created_at\":\"2017-01-26T23:29:14.332Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794557\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR - Edit Anyone's Blogs / Websites\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:25.465Z\",\"vulnerability_information\":\"Hello there,\\nI hope all is well!\\nSteps:\\nGo to https://jupiterone.com/signup and create 2 accounts.\\nLogin as victim and go to https://www.jupiterone.com/edit-user-profile\\nClick Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and search radMainSite text in page source and copy value.\\nThen login as attacker.\\nGo to https://www.jupiterone.com/edit-user-profile \\u003e click Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and click Save Settings button \\u003e open burp suite and change hidBlogID parameter with victim's hidBlogID.\\nForward the request and go to victim's account. Check your website informations. You will see it's changed.\\n\\n## Impact\\n\\nChange victim's website/blog information - leading to personal data exposure, defacing of customer content and loss of company revenue.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.734Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.734Z\",\"last_activity_at\":\"2022-12-09T06:51:52.734Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770231\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:25.592Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"55\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insecure Direct Object Reference (IDOR)\",\"description\":\"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.\",\"external_id\":\"cwe-639\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770195\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:53.879Z\",\"score\":8.3,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442260\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-06T06:49:54.599Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794532\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin system credentials leaked in public GitHub commit history\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-12-05T09:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.560Z\",\"first_program_activity_at\":\"2022-12-06T06:50:22.070Z\",\"last_program_activity_at\":\"2022-12-05T09:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:50:23.560Z\",\"last_activity_at\":\"2022-12-09T06:50:23.560Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770206\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:21.909Z\"}}},\"weakness\":{\"data\":{\"id\":\"1027\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Reflection Injection\",\"description\":\"An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.\",\"external_id\":\"capec-138\",\"created_at\":\"2022-07-06T18:33:49.925Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794529\",\"type\":\"report\",\"attributes\":{\"title\":\"Crypto - Ethereum account balance manipulation\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-05T06:49:54.883Z\",\"vulnerability_information\":\"If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed\\nSteps To Reproduce:\\nSetup a smart contract with a few valid wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)\\nTransfer appropriate funds to smart contract.\\nExecute smart contract adding the set amount of ether to the wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.\\nRepeat until you have more than enough ethereum in your wallet.\\nCash out, transfer to off site wallet\\n\\n## Impact\\n\\nBy using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.440Z\",\"first_program_activity_at\":\"2022-12-06T06:50:10.664Z\",\"last_program_activity_at\":\"2022-12-05T09:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.440Z\",\"last_activity_at\":\"2022-12-09T06:51:43.440Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770203\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:10.554Z\"}}},\"weakness\":{\"data\":{\"id\":\"1385\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Open-Source Library Manipulation\",\"description\":\"Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.\",\"external_id\":\"capec-538\",\"created_at\":\"2022-07-06T18:53:39.017Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794501\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - Read new emails from any inbox IOS APP in notification center\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:48:28.517Z\",\"vulnerability_information\":\"IDOR vulnerability in notification center API as used by jupiterone.com Mail application for iOS allowed to request notifications for arbitrary e-mail address\\n\\n## Impact\\n\\nPersonal Data Exposure, account take over and down time for your major IOS app.\",\"triaged_at\":\"2022-12-05T10:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:35.306Z\",\"first_program_activity_at\":\"2022-12-06T06:48:34.640Z\",\"last_program_activity_at\":\"2022-12-05T10:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1750\",\"last_public_activity_at\":\"2022-12-09T06:48:35.306Z\",\"last_activity_at\":\"2022-12-09T06:48:35.306Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-16T10:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-16T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-07T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":14400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770175\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:34.407Z\"}}},\"weakness\":{\"data\":{\"id\":\"1053\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Spear Phishing\",\"description\":\"An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.\",\"external_id\":\"capec-163\",\"created_at\":\"2022-07-06T18:35:18.823Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794499\",\"type\":\"report\",\"attributes\":{\"title\":\"Collaboration - Memory corruption in imap-parser.c\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-01T18:48:28.517Z\",\"vulnerability_information\":\"Hello JupiterOne demo devs, this is a report from Bishop and Cosmo. We are researchers at the University of Pennsylvania. We’ve been fuzzing JupiterOne demo and have triggered some memory errors---this one is the most serious, and can be used for controlled indirect out-of-bounds writes into heap memory.\\nSummary:\\nThe imapparser_read_string() function inside imap-parser.c sets the parser -\\u003e str_first_escape field equal to the index of the first ‘\\\\\\\\’ escape character found when parsing the input data. However, it does not check for a null byte (end of string) when scanning that data. As a result, if a ‘\\\\\\\\’ is placed _after a null byte in an input data, then the str_first_escape index may be larger than the strlen() of the actual data, which leads to out of bounds heap memory accesses (both reads and writes).\\nOn line 266 of imap-parser.c, a new string is allocated from the memory pool of the parser, and a copy of the input data is copied there using p_strndup():\\nstr = p_strndup(parser-\\u003epool, data+1, size-1);\\npstrndup() computes the _length of the original string (distance to first null byte), allocates that many bytes, and then copies that many bytes into the allocated buffer. Several lines later the program calls str_unescape() on the shorter copied string using the original offset parser -\\u003e str_first_escape:\\n(void)str_unescape(str + parser-\\u003estr_first_escape-1);\\nAs noted, we can create inputs in which str_first_escape will have a larger value than the actual length of the string, thus driving str out of bounds in the input to str_unescape(). The p_strndup() allocates its memory from the parser memory pool; with an appropriate arrangement of the pool, this could be made to allocate from a block with a higher address than the data; because the distance between the ‘\\\\\\\\’ and the null byte can be controlled by an attacker and is only constrained by the length of a line, the pointer can thus be set to a controlled value outside of the memory pool. str_unescape() performs writes, which could be used to corrupt arbitrary heap memory that is allocated after the pool, thus providing realistic footing for exploitation. Attached to this report are two screenshots from Address Sanitizer that show the state of the call stack and the detected out-of-bounds writes to heap objects.\\nReleases Affected:\\nThe affected code has not been touched since 2003 and the vulnerability may be older than that.\\nSteps To Reproduce:\\nCompile JupiterOne demo with ASAN to detect memory errors, or add the assertion “i_assert(strlen(str) \\u003e= parser-\\u003estr_first_escape);” after line 270 in imap-parser.c to detect violations of that logical invariant.\\nInsert a ‘\\\\\\\\0’ before the first ‘\\\\\\\\’ in a string that will be parsed by imap-parser.c --- example IMAP session provided below\\nRun session\\nExample session:\\na0000 AUTHENTICATE PLAIN xxxxxxxxxxxxx\\na0001 CAPABILITY\\na0002 LIST \\\"0\\\\\\\\A\\\" “”\\na0006 CLOSE\\na0007 LOGOUT\\nNote the 0 before “\\\\\\\\A” would be an actual null byte not \\\\\\\\x30.\\nFixing the vulnerability\\nThe offset of the first escape should not be set higher than the offset of the null byte. This could be achieved either by setting str_first_escape if it has not been set when the first ‘\\\\\\\\0’ is encountered, or by terminating the processing (and maybe dropping the ill-behaved client) on that first ‘\\\\\\\\0’ and leaving str_first_escape unset. Given that we are not experts on this code and the nuances of the IMAP syntax, we can’t say which is more appropriate.\\nSupporting Material/References:\\nThis report includes two screenshots of Address Sanitizer reported out-of-bounds writes.\\nImpact\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\\n\\n## Impact\\n\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\",\"triaged_at\":\"2022-12-02T04:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:34.451Z\",\"first_program_activity_at\":\"2022-12-06T06:48:32.375Z\",\"last_program_activity_at\":\"2022-12-02T04:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1723\",\"last_public_activity_at\":\"2022-12-09T06:48:34.451Z\",\"last_activity_at\":\"2022-12-09T06:48:34.451Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-13T04:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-12T18:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-05T18:48:28.517Z\",\"timer_report_triage_elapsed_time\":36000},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770173\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:32.143Z\"}}},\"weakness\":{\"data\":{\"id\":\"548\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Authentication Bypass by Alternate Name\",\"description\":\"The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.\",\"external_id\":\"cwe-289\",\"created_at\":\"2022-07-06T18:04:55.580Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794520\",\"type\":\"report\",\"attributes\":{\"title\":\"SSH server compatible with several vulnerable cryptographic algorithms\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-29T06:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-15T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-29T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:45.563Z\",\"last_program_activity_at\":\"2022-12-15T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-15T06:48:35.164Z\",\"last_activity_at\":\"2022-12-15T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794502\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-01T06:48:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770194\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:45.389Z\"}}},\"weakness\":{\"data\":{\"id\":\"314\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incorrect Register Defaults or Module Parameters\",\"description\":\"Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values.\",\"external_id\":\"cwe-1221\",\"created_at\":\"2022-07-06T17:52:26.223Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794498\",\"type\":\"report\",\"attributes\":{\"title\":\"Weak Recovery Mechanism - Reset Any Password\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-28T06:48:28.517Z\",\"vulnerability_information\":\"Summary:\\n When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user.\\nSteps To Reproduce:\\n1. Input email and send code\\n2. Input email and send code for email account you want to take over\\n3. Input known vertification code to get to the next page\\n4. Modify request on next page with email account you want to take over and brute force the unkown verification code - there is no limit to this brute force and the code is only 6 characters\\n\\n## Impact\\n\\nI can change the password on any account, leading to account takeovers, loss of private data and loss of revenue/fine for company.\",\"triaged_at\":\"2022-11-28T14:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:31.964Z\",\"first_program_activity_at\":\"2022-12-06T06:48:30.317Z\",\"last_program_activity_at\":\"2022-11-28T14:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1722\",\"last_public_activity_at\":\"2022-12-09T06:48:31.964Z\",\"last_activity_at\":\"2022-12-09T06:48:31.964Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-11-30T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":28800},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770172\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:30.092Z\"}}},\"weakness\":{\"data\":{\"id\":\"625\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Declaration of Catch for Generic Exception\",\"description\":\"Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.\",\"external_id\":\"cwe-396\",\"created_at\":\"2022-07-06T18:08:54.595Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770193\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:42.890Z\"}}},\"weakness\":{\"data\":{\"id\":\"472\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Permissive List of Allowed Inputs\",\"description\":\"The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.\",\"external_id\":\"cwe-183\",\"created_at\":\"2022-07-06T18:00:44.401Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442259\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-08T00:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770192\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:37.146Z\"}}},\"weakness\":{\"data\":{\"id\":\"1190\",\"type\":\"weakness\",\"attributes\":{\"name\":\"TCP FIN Scan\",\"description\":\"An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.\",\"external_id\":\"capec-302\",\"created_at\":\"2022-07-06T18:43:00.350Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442258\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-29T17:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794528\",\"type\":\"report\",\"attributes\":{\"title\":\"Open Source - Buffer underflow in Ruby sprintf\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-26T13:41:20.597Z\",\"vulnerability_information\":\"Find attached the crash file, the crash output and the suggestion for a fix: https://github.com/ruby/ruby/commit/0854193a684acc2b3a13ab28091a4397000c8822\\n\\n## Impact\\n\\nAttacker can cause the web application to execute arbitrary code – effectively taking over the machine on any web application using Ruby.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.339Z\",\"first_program_activity_at\":\"2022-12-06T06:50:09.119Z\",\"last_program_activity_at\":\"2022-11-26T23:41:20.597Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.339Z\",\"last_activity_at\":\"2022-12-09T06:51:43.339Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770202\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:08.995Z\"}}},\"weakness\":{\"data\":{\"id\":\"1492\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Hiding Malicious Data or Code within Files\",\"description\":\"Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.\",\"external_id\":\"capec-636\",\"created_at\":\"2022-07-06T19:02:12.998Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770191\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:32.536Z\"}}},\"weakness\":{\"data\":{\"id\":\"422\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Precision or Accuracy of a Real Number\",\"description\":\"The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.\",\"external_id\":\"cwe-1339\",\"created_at\":\"2022-07-06T17:58:07.760Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442257\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-07T10:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770190\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:30.117Z\"}}},\"weakness\":{\"data\":{\"id\":\"685\",\"type\":\"weakness\",\"attributes\":{\"name\":\"External Control of Assumed-Immutable Web Parameter\",\"description\":\"The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.\",\"external_id\":\"cwe-472\",\"created_at\":\"2022-07-06T18:12:09.751Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442256\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T04:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770189\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:26.483Z\"}}},\"weakness\":{\"data\":{\"id\":\"1153\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Fuzzing for garnering other adjacent user/sensitive data\",\"description\":\"An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.\",\"external_id\":\"capec-261\",\"created_at\":\"2022-07-06T18:40:56.542Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442255\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-03T21:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770188\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:24.058Z\"}}},\"weakness\":{\"data\":{\"id\":\"1510\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Known Windows Credentials\",\"description\":\"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input.\",\"external_id\":\"capec-653\",\"created_at\":\"2022-07-06T19:03:05.325Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442254\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-20T14:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770187\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:20.218Z\"}}},\"weakness\":{\"data\":{\"id\":\"533\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: 'dir/../../filename'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \\\"../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-27\",\"created_at\":\"2022-07-06T18:04:03.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442253\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T08:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770186\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:14.571Z\"}}},\"weakness\":{\"data\":{\"id\":\"1235\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Application API Button Hijacking\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.\",\"external_id\":\"capec-388\",\"created_at\":\"2022-07-06T18:45:23.172Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442252\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-06T01:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794527\",\"type\":\"report\",\"attributes\":{\"title\":\"RCE - Remote Code Execution on app.jupiterone.com using bulk customer update of Priority Products\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-17T20:32:46.311Z\",\"vulnerability_information\":\"Hi,\\nBackground\\napp.jupiterone.com allows the administrator to upload priority product images located at:\\nhttps://app.jupiterone.com/seller/onboarding/1\\n\\n\\nThese images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick using a specific payload then connecting app.JupiterOne demo to JupiterOne demo Messenger, and writing the right commands a reverse shell will be created to my host.\\n\\nI also verified I can access AWS metadata.\\n\\nYou should immediately make sure Postscript files cannot be uploaded here, or urgently update or remove Ghostscript from the imagemagick instance.\\nRegards,\\nFrans and Mathias\\n\\n## Impact\\n\\nAccess AWS secret keys, personal data and execute code on server.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.323Z\",\"first_program_activity_at\":\"2022-12-06T06:50:07.506Z\",\"last_program_activity_at\":\"2022-11-18T18:32:46.311Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.323Z\",\"last_activity_at\":\"2022-12-09T06:51:43.323Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770201\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:07.339Z\"}}},\"weakness\":{\"data\":{\"id\":\"921\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.\",\"external_id\":\"cwe-790\",\"created_at\":\"2022-07-06T18:27:51.923Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770185\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:12.168Z\"}}},\"weakness\":{\"data\":{\"id\":\"907\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Reference to Active File Descriptor or Handle\",\"description\":\"The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.\",\"external_id\":\"cwe-773\",\"created_at\":\"2022-07-06T18:27:09.309Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442251\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-14T18:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770184\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:05.574Z\"}}},\"weakness\":{\"data\":{\"id\":\"667\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Multiple Interpretations of UI Input\",\"description\":\"The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.\",\"external_id\":\"cwe-450\",\"created_at\":\"2022-07-06T18:11:16.745Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442250\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-10T12:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"cve_ids\":[\"CVE-2017-15277\"],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770183\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:00.436Z\"}}},\"weakness\":{\"data\":{\"id\":\"1151\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Leveraging Race Conditions\",\"description\":\"The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \\\"running the race\\\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.\",\"external_id\":\"capec-26\",\"created_at\":\"2022-07-06T18:40:51.054Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442249\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T05:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770182\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:48:54.758Z\"}}},\"weakness\":{\"data\":{\"id\":\"607\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Internal State Distinction\",\"description\":\"The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.\",\"external_id\":\"cwe-372\",\"created_at\":\"2022-07-06T18:07:58.337Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442248\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T22:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315}}}}}}]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" + "text": "{\"data\":[{\"id\":\"1795020\",\"type\":\"report\",\"attributes\":{\"title\":\"Demo report: XSS in JupiterOne demo H1B home page\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T17:18:15.515Z\",\"vulnerability_information\":\"In some ***fantasy world***, the home page of JupiterOne demo H1B is vulnerable to an *imaginary* Cross-Site Scripting attack.\\n\\n1. Visit home page of JupiterOne demo H1B\\n2. Open the browser's javascript console\\n3. Type `alert(/xss!/)` and press enter\\n4. Profit!\\n\\n## Impact\\n\\nIn our fantasy world, exploiting this vulnerability allows us to run an external script on your website that for example steals the cookies of the users that's facing the XSS and thus gaining access to the account of the victim.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T17:18:16.437Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T17:18:16.437Z\",\"last_activity_at\":\"2022-12-09T17:18:16.437Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"2522558\",\"type\":\"user\",\"attributes\":{\"username\":\"ninetreats00\",\"name\":\"Sam Andrus\",\"disabled\":false,\"created_at\":\"2022-12-06T17:18:09.499Z\",\"profile_picture\":{\"62x62\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"82x82\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"110x110\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"260x260\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":null,\"website\":null,\"location\":null,\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"weakness\":{\"data\":{\"id\":\"1450\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Absolute Path Traversal\",\"description\":\"An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \\\"..\\\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.\",\"external_id\":\"capec-597\",\"created_at\":\"2022-07-06T18:59:45.367Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794559\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup SQL file lingering on https://ops.jupiterone.com/\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:51:29.205Z\",\"vulnerability_information\":\"The JupiterOne demo Ops website - `ops.jupiterone.com` has a lingering SQL backup file that is\\npublicly accessible and downloadable. The file contains a SQL database backup that contains\\nprivileged user information and secret keys.\\n# Steps to Reproduce\\n- Head over to https://ops.jupiterone.com/tmp/backup.sql\\n- Inspect the raw SQL. E.g. search for `encryption_key` or `password`.\\n# PoC\\nhttps://ops.jupiterone.com/tmp/backup.sql:\\n{F2063870}\\n\\n# Remediation\\nEnsure the file is removed from the server or protected with a proper authentication mechanism\\nthat prevents unprivileged users from accessing this sensitive information.\\n\\n## Impact\\n\\nAny customer of JupiterOne demo that has this system will be\\nimpacted by this vulnerability. An attacker could easily gain access to whatever they are\\ntrying to protect by exploiting this vulnerability.\",\"triaged_at\":\"2022-12-06T06:51:29.423Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:29.929Z\",\"first_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"last_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:29.929Z\",\"last_activity_at\":\"2022-12-09T06:51:29.929Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"4954\",\"type\":\"user\",\"attributes\":{\"username\":\"demo-member\",\"name\":\"Demo Member\",\"disabled\":false,\"created_at\":\"2014-04-14T11:45:00.949Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":\"I'm here to help test drive, and am automatically removed at launch.\",\"website\":null,\"location\":\"testing\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770233\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:29.279Z\",\"score\":10.0,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"changed\"}}},\"weakness\":{\"data\":{\"id\":\"18\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Disclosure\",\"description\":\"An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.\",\"external_id\":\"cwe-200\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794558\",\"type\":\"report\",\"attributes\":{\"title\":\"Private Data - Mass account takeovers using HTTP Request Smuggling on qa.jupiterone.com to steal session cookies\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:27.360Z\",\"vulnerability_information\":\"Hi JupiterOne demo Security Team!\\nMy name is cosmo and I'm a first time bug hunter to your platform. I decided to take a little of my time and gently perform recon on your platform. Specifically the area of interest I focus in is HTTP Request Smuggling. I developed tooling to actively target some advanced HTTP Smuggling exploits and ran it on your in-scope assets. In my research I stumbled across a finding that I consider extremely critical not only for JupiterOne demo but for all customers and organizations which share their privatedata/channels/conversations on JupiterOne demo.\\n\\n### Steps to Reproduce\\n\\nThe bug chain is as follows:\\n1) HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on JupiterOne demob.com\\n2) Request Hijack forces victim HTTP requests to instead use GET https://\\u003cURL\\u003e HTTP/1.1 on JupiterOne demob.com\\n3) A request of GET https://\\u003cURL\\u003e HTTP/1.1 on the backend server socket results in a 301 redirect to https://\\u003cURL\\u003e with JupiterOne demo cookies (most importantly the d cookie)\\n4) Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined \\u003cURL\\u003e in the attack\\n5) Me (if I were evil) collects massive amounts of d session cookies and steals any/all possible JupiterOne demo user/organization data from victim sessions\\n\\n### Remediation\\n\\nTo fix this you need to use HTTP/2 for back-end connections, as this protocol prevents ambiguity about the boundaries between requests.\\nThe front-end server processes the Content-Length header and determines that the request body is 13 bytes long, up to the end of SMUGGLED. This request is forwarded on to the back-end server.\\n\\nThe back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The following bytes, SMUGGLED, are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence.\\n\\n## Impact\\n\\nSo it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly issue this attack, jump onto the victim session and steal all possible data within reach.\\nI am really happy I found this for you guys so that it can be dealt with ASAP. I really hope there haven't been any attacks on customers using this vulnerability.\\nBest Wishes,\\ncosmo\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.732Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.732Z\",\"last_activity_at\":\"2022-12-09T06:51:52.732Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770232\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:27.437Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"86\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Request Smuggling\",\"description\":\"When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to \\\"smuggle\\\" a request to one device without the other device being aware of it.\",\"external_id\":\"cwe-444\",\"created_at\":\"2017-01-26T23:29:14.332Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794557\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR - Edit Anyone's Blogs / Websites\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:25.465Z\",\"vulnerability_information\":\"Hello there,\\nI hope all is well!\\nSteps:\\nGo to https://jupiterone.com/signup and create 2 accounts.\\nLogin as victim and go to https://www.jupiterone.com/edit-user-profile\\nClick Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and search radMainSite text in page source and copy value.\\nThen login as attacker.\\nGo to https://www.jupiterone.com/edit-user-profile \\u003e click Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and click Save Settings button \\u003e open burp suite and change hidBlogID parameter with victim's hidBlogID.\\nForward the request and go to victim's account. Check your website informations. You will see it's changed.\\n\\n## Impact\\n\\nChange victim's website/blog information - leading to personal data exposure, defacing of customer content and loss of company revenue.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.734Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.734Z\",\"last_activity_at\":\"2022-12-09T06:51:52.734Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770231\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:25.592Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"55\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insecure Direct Object Reference (IDOR)\",\"description\":\"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.\",\"external_id\":\"cwe-639\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770195\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:53.879Z\",\"score\":8.3,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442260\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-06T06:49:54.599Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794532\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin system credentials leaked in public GitHub commit history\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-12-05T09:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.560Z\",\"first_program_activity_at\":\"2022-12-06T06:50:22.070Z\",\"last_program_activity_at\":\"2022-12-05T09:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:50:23.560Z\",\"last_activity_at\":\"2022-12-09T06:50:23.560Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770206\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:21.909Z\"}}},\"weakness\":{\"data\":{\"id\":\"1027\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Reflection Injection\",\"description\":\"An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.\",\"external_id\":\"capec-138\",\"created_at\":\"2022-07-06T18:33:49.925Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794529\",\"type\":\"report\",\"attributes\":{\"title\":\"Crypto - Ethereum account balance manipulation\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-05T06:49:54.883Z\",\"vulnerability_information\":\"If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed\\nSteps To Reproduce:\\nSetup a smart contract with a few valid wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)\\nTransfer appropriate funds to smart contract.\\nExecute smart contract adding the set amount of ether to the wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.\\nRepeat until you have more than enough ethereum in your wallet.\\nCash out, transfer to off site wallet\\n\\n## Impact\\n\\nBy using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.440Z\",\"first_program_activity_at\":\"2022-12-06T06:50:10.664Z\",\"last_program_activity_at\":\"2022-12-05T09:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.440Z\",\"last_activity_at\":\"2022-12-09T06:51:43.440Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770203\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:10.554Z\"}}},\"weakness\":{\"data\":{\"id\":\"1385\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Open-Source Library Manipulation\",\"description\":\"Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.\",\"external_id\":\"capec-538\",\"created_at\":\"2022-07-06T18:53:39.017Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794501\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - Read new emails from any inbox IOS APP in notification center\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:48:28.517Z\",\"vulnerability_information\":\"IDOR vulnerability in notification center API as used by jupiterone.com Mail application for iOS allowed to request notifications for arbitrary e-mail address\\n\\n## Impact\\n\\nPersonal Data Exposure, account take over and down time for your major IOS app.\",\"triaged_at\":\"2022-12-05T10:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:35.306Z\",\"first_program_activity_at\":\"2022-12-06T06:48:34.640Z\",\"last_program_activity_at\":\"2022-12-05T10:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1750\",\"last_public_activity_at\":\"2022-12-09T06:48:35.306Z\",\"last_activity_at\":\"2022-12-09T06:48:35.306Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-16T10:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-16T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-07T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":14400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770175\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:34.407Z\"}}},\"weakness\":{\"data\":{\"id\":\"1053\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Spear Phishing\",\"description\":\"An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.\",\"external_id\":\"capec-163\",\"created_at\":\"2022-07-06T18:35:18.823Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794499\",\"type\":\"report\",\"attributes\":{\"title\":\"Collaboration - Memory corruption in imap-parser.c\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-01T18:48:28.517Z\",\"vulnerability_information\":\"Hello JupiterOne demo devs, this is a report from Bishop and Cosmo. We are researchers at the University of Pennsylvania. We’ve been fuzzing JupiterOne demo and have triggered some memory errors---this one is the most serious, and can be used for controlled indirect out-of-bounds writes into heap memory.\\nSummary:\\nThe imapparser_read_string() function inside imap-parser.c sets the parser -\\u003e str_first_escape field equal to the index of the first ‘\\\\\\\\’ escape character found when parsing the input data. However, it does not check for a null byte (end of string) when scanning that data. As a result, if a ‘\\\\\\\\’ is placed _after a null byte in an input data, then the str_first_escape index may be larger than the strlen() of the actual data, which leads to out of bounds heap memory accesses (both reads and writes).\\nOn line 266 of imap-parser.c, a new string is allocated from the memory pool of the parser, and a copy of the input data is copied there using p_strndup():\\nstr = p_strndup(parser-\\u003epool, data+1, size-1);\\npstrndup() computes the _length of the original string (distance to first null byte), allocates that many bytes, and then copies that many bytes into the allocated buffer. Several lines later the program calls str_unescape() on the shorter copied string using the original offset parser -\\u003e str_first_escape:\\n(void)str_unescape(str + parser-\\u003estr_first_escape-1);\\nAs noted, we can create inputs in which str_first_escape will have a larger value than the actual length of the string, thus driving str out of bounds in the input to str_unescape(). The p_strndup() allocates its memory from the parser memory pool; with an appropriate arrangement of the pool, this could be made to allocate from a block with a higher address than the data; because the distance between the ‘\\\\\\\\’ and the null byte can be controlled by an attacker and is only constrained by the length of a line, the pointer can thus be set to a controlled value outside of the memory pool. str_unescape() performs writes, which could be used to corrupt arbitrary heap memory that is allocated after the pool, thus providing realistic footing for exploitation. Attached to this report are two screenshots from Address Sanitizer that show the state of the call stack and the detected out-of-bounds writes to heap objects.\\nReleases Affected:\\nThe affected code has not been touched since 2003 and the vulnerability may be older than that.\\nSteps To Reproduce:\\nCompile JupiterOne demo with ASAN to detect memory errors, or add the assertion “i_assert(strlen(str) \\u003e= parser-\\u003estr_first_escape);” after line 270 in imap-parser.c to detect violations of that logical invariant.\\nInsert a ‘\\\\\\\\0’ before the first ‘\\\\\\\\’ in a string that will be parsed by imap-parser.c --- example IMAP session provided below\\nRun session\\nExample session:\\na0000 AUTHENTICATE PLAIN xxxxxxxxxxxxx\\na0001 CAPABILITY\\na0002 LIST \\\"0\\\\\\\\A\\\" “”\\na0006 CLOSE\\na0007 LOGOUT\\nNote the 0 before “\\\\\\\\A” would be an actual null byte not \\\\\\\\x30.\\nFixing the vulnerability\\nThe offset of the first escape should not be set higher than the offset of the null byte. This could be achieved either by setting str_first_escape if it has not been set when the first ‘\\\\\\\\0’ is encountered, or by terminating the processing (and maybe dropping the ill-behaved client) on that first ‘\\\\\\\\0’ and leaving str_first_escape unset. Given that we are not experts on this code and the nuances of the IMAP syntax, we can’t say which is more appropriate.\\nSupporting Material/References:\\nThis report includes two screenshots of Address Sanitizer reported out-of-bounds writes.\\nImpact\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\\n\\n## Impact\\n\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\",\"triaged_at\":\"2022-12-02T04:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:34.451Z\",\"first_program_activity_at\":\"2022-12-06T06:48:32.375Z\",\"last_program_activity_at\":\"2022-12-02T04:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1723\",\"last_public_activity_at\":\"2022-12-09T06:48:34.451Z\",\"last_activity_at\":\"2022-12-09T06:48:34.451Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-13T04:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-12T18:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-05T18:48:28.517Z\",\"timer_report_triage_elapsed_time\":36000},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770173\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:32.143Z\"}}},\"weakness\":{\"data\":{\"id\":\"548\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Authentication Bypass by Alternate Name\",\"description\":\"The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.\",\"external_id\":\"cwe-289\",\"created_at\":\"2022-07-06T18:04:55.580Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794520\",\"type\":\"report\",\"attributes\":{\"title\":\"SSH server compatible with several vulnerable cryptographic algorithms\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-29T06:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-15T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-29T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:45.563Z\",\"last_program_activity_at\":\"2022-12-15T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-15T06:48:35.164Z\",\"last_activity_at\":\"2022-12-15T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794502\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-01T06:48:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770194\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:45.389Z\"}}},\"weakness\":{\"data\":{\"id\":\"314\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incorrect Register Defaults or Module Parameters\",\"description\":\"Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values.\",\"external_id\":\"cwe-1221\",\"created_at\":\"2022-07-06T17:52:26.223Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794498\",\"type\":\"report\",\"attributes\":{\"title\":\"Weak Recovery Mechanism - Reset Any Password\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-28T06:48:28.517Z\",\"vulnerability_information\":\"Summary:\\n When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user.\\nSteps To Reproduce:\\n1. Input email and send code\\n2. Input email and send code for email account you want to take over\\n3. Input known vertification code to get to the next page\\n4. Modify request on next page with email account you want to take over and brute force the unkown verification code - there is no limit to this brute force and the code is only 6 characters\\n\\n## Impact\\n\\nI can change the password on any account, leading to account takeovers, loss of private data and loss of revenue/fine for company.\",\"triaged_at\":\"2022-11-28T14:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:31.964Z\",\"first_program_activity_at\":\"2022-12-06T06:48:30.317Z\",\"last_program_activity_at\":\"2022-11-28T14:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1722\",\"last_public_activity_at\":\"2022-12-09T06:48:31.964Z\",\"last_activity_at\":\"2022-12-09T06:48:31.964Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-11-30T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":28800},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770172\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:30.092Z\"}}},\"weakness\":{\"data\":{\"id\":\"625\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Declaration of Catch for Generic Exception\",\"description\":\"Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.\",\"external_id\":\"cwe-396\",\"created_at\":\"2022-07-06T18:08:54.595Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770193\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:42.890Z\"}}},\"weakness\":{\"data\":{\"id\":\"472\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Permissive List of Allowed Inputs\",\"description\":\"The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.\",\"external_id\":\"cwe-183\",\"created_at\":\"2022-07-06T18:00:44.401Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442259\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-08T00:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770192\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:37.146Z\"}}},\"weakness\":{\"data\":{\"id\":\"1190\",\"type\":\"weakness\",\"attributes\":{\"name\":\"TCP FIN Scan\",\"description\":\"An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.\",\"external_id\":\"capec-302\",\"created_at\":\"2022-07-06T18:43:00.350Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442258\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-29T17:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794528\",\"type\":\"report\",\"attributes\":{\"title\":\"Open Source - Buffer underflow in Ruby sprintf\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-26T13:41:20.597Z\",\"vulnerability_information\":\"Find attached the crash file, the crash output and the suggestion for a fix: https://github.com/ruby/ruby/commit/0854193a684acc2b3a13ab28091a4397000c8822\\n\\n## Impact\\n\\nAttacker can cause the web application to execute arbitrary code – effectively taking over the machine on any web application using Ruby.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.339Z\",\"first_program_activity_at\":\"2022-12-06T06:50:09.119Z\",\"last_program_activity_at\":\"2022-11-26T23:41:20.597Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.339Z\",\"last_activity_at\":\"2022-12-09T06:51:43.339Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770202\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:08.995Z\"}}},\"weakness\":{\"data\":{\"id\":\"1492\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Hiding Malicious Data or Code within Files\",\"description\":\"Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.\",\"external_id\":\"capec-636\",\"created_at\":\"2022-07-06T19:02:12.998Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770191\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:32.536Z\"}}},\"weakness\":{\"data\":{\"id\":\"422\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Precision or Accuracy of a Real Number\",\"description\":\"The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.\",\"external_id\":\"cwe-1339\",\"created_at\":\"2022-07-06T17:58:07.760Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442257\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-07T10:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770190\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:30.117Z\"}}},\"weakness\":{\"data\":{\"id\":\"685\",\"type\":\"weakness\",\"attributes\":{\"name\":\"External Control of Assumed-Immutable Web Parameter\",\"description\":\"The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.\",\"external_id\":\"cwe-472\",\"created_at\":\"2022-07-06T18:12:09.751Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442256\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T04:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770189\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:26.483Z\"}}},\"weakness\":{\"data\":{\"id\":\"1153\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Fuzzing for garnering other adjacent user/sensitive data\",\"description\":\"An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.\",\"external_id\":\"capec-261\",\"created_at\":\"2022-07-06T18:40:56.542Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442255\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-03T21:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770188\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:24.058Z\"}}},\"weakness\":{\"data\":{\"id\":\"1510\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Known Windows Credentials\",\"description\":\"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input.\",\"external_id\":\"capec-653\",\"created_at\":\"2022-07-06T19:03:05.325Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442254\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-20T14:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770187\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:20.218Z\"}}},\"weakness\":{\"data\":{\"id\":\"533\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: 'dir/../../filename'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \\\"../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-27\",\"created_at\":\"2022-07-06T18:04:03.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442253\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T08:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770186\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:14.571Z\"}}},\"weakness\":{\"data\":{\"id\":\"1235\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Application API Button Hijacking\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.\",\"external_id\":\"capec-388\",\"created_at\":\"2022-07-06T18:45:23.172Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442252\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-06T01:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794527\",\"type\":\"report\",\"attributes\":{\"title\":\"RCE - Remote Code Execution on app.jupiterone.com using bulk customer update of Priority Products\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-17T20:32:46.311Z\",\"vulnerability_information\":\"Hi,\\nBackground\\napp.jupiterone.com allows the administrator to upload priority product images located at:\\nhttps://app.jupiterone.com/seller/onboarding/1\\n\\n\\nThese images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick using a specific payload then connecting app.JupiterOne demo to JupiterOne demo Messenger, and writing the right commands a reverse shell will be created to my host.\\n\\nI also verified I can access AWS metadata.\\n\\nYou should immediately make sure Postscript files cannot be uploaded here, or urgently update or remove Ghostscript from the imagemagick instance.\\nRegards,\\nFrans and Mathias\\n\\n## Impact\\n\\nAccess AWS secret keys, personal data and execute code on server.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.323Z\",\"first_program_activity_at\":\"2022-12-06T06:50:07.506Z\",\"last_program_activity_at\":\"2022-11-18T18:32:46.311Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.323Z\",\"last_activity_at\":\"2022-12-09T06:51:43.323Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770201\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:07.339Z\"}}},\"weakness\":{\"data\":{\"id\":\"921\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.\",\"external_id\":\"cwe-790\",\"created_at\":\"2022-07-06T18:27:51.923Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770185\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:12.168Z\"}}},\"weakness\":{\"data\":{\"id\":\"907\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Reference to Active File Descriptor or Handle\",\"description\":\"The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.\",\"external_id\":\"cwe-773\",\"created_at\":\"2022-07-06T18:27:09.309Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442251\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-14T18:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770184\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:05.574Z\"}}},\"weakness\":{\"data\":{\"id\":\"667\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Multiple Interpretations of UI Input\",\"description\":\"The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.\",\"external_id\":\"cwe-450\",\"created_at\":\"2022-07-06T18:11:16.745Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442250\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-10T12:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"cve_ids\":[\"CVE-2017-15277\"],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770183\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:00.436Z\"}}},\"weakness\":{\"data\":{\"id\":\"1151\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Leveraging Race Conditions\",\"description\":\"The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \\\"running the race\\\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.\",\"external_id\":\"capec-26\",\"created_at\":\"2022-07-06T18:40:51.054Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442249\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T05:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770182\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:48:54.758Z\"}}},\"weakness\":{\"data\":{\"id\":\"607\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Internal State Distinction\",\"description\":\"The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.\",\"external_id\":\"cwe-372\",\"created_at\":\"2022-07-06T18:07:58.337Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442248\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T22:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315}}}}}}]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Mon, 19 Dec 2022 22:59:29 GMT" + "value": "Mon, 23 Jan 2023 10:02:16 GMT" }, { "name": "content-type", @@ -62,7 +505,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "vary", @@ -70,11 +513,11 @@ }, { "name": "x-request-id", - "value": "02910412-ecdf-49ba-8b1b-e21fdf1da167" + "value": "972fb32a-0743-4165-96b5-1d08f317a62e" }, { "name": "etag", - "value": "W/\"d9004f6f4a856101801d5fb09c9f979d\"" + "value": "W/\"79366a034bf4b86620a09a6cca4985e8\"" }, { "name": "cache-control", @@ -114,7 +557,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -126,17 +569,17 @@ }, { "name": "cf-ray", - "value": "77c3bfb1afe82806-SLC" + "value": "78dfb14ea8690441-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-19T22:59:27.291Z", - "time": 2287, + "startedDateTime": "2023-01-23T10:02:13.749Z", + "time": 2774, "timings": { "blocked": -1, "connect": -1, @@ -144,7 +587,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 2287 + "wait": 2774 } }, { @@ -190,13 +633,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 118866, - "text": "{\"data\":[{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770181\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:51.190Z\"}}},\"weakness\":{\"data\":{\"id\":\"1572\",\"type\":\"weakness\",\"attributes\":{\"name\":\"DEPRECATED: XML Parser Attack\",\"description\":\"This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.\",\"external_id\":\"capec-99\",\"created_at\":\"2022-07-06T19:06:25.933Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442247\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-24T16:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770180\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:48.083Z\"}}},\"weakness\":{\"data\":{\"id\":\"1577\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Default Password\",\"description\":\"The product uses default passwords for potentially critical functionality.\",\"external_id\":\"cwe-1393\",\"created_at\":\"2022-12-06T06:00:45.688Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442246\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-09T09:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770179\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:45.002Z\"}}},\"weakness\":{\"data\":{\"id\":\"1491\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Alternative Execution Due to Deceptive Filenames\",\"description\":\"The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.\",\"external_id\":\"capec-635\",\"created_at\":\"2022-07-06T19:02:10.604Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442245\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-13T02:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794526\",\"type\":\"report\",\"attributes\":{\"title\":\"Kubernetes - Blind SSRF on JupiterOne demo.canary.k8s.io\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-09T03:24:12.026Z\",\"vulnerability_information\":\"A blind server-side request forgery (SSRF) was found at the endpoint http://JupiterOne demo.canary.k8s.io/api/snapshots via a JSON parameter. An attacker can force the host to make a request to arbitrary URLs.\\n\\n## Impact\\n\\nAn attacker can force the host to make a request to arbitrary URLs. Allowing us to assume host permissions and access internal infrastructure - including private data.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.296Z\",\"first_program_activity_at\":\"2022-12-06T06:50:04.277Z\",\"last_program_activity_at\":\"2022-11-09T15:24:12.026Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.296Z\",\"last_activity_at\":\"2022-12-09T06:51:43.296Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770200\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:04.155Z\"}}},\"weakness\":{\"data\":{\"id\":\"1062\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Application Fingerprinting\",\"description\":\"An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.\",\"external_id\":\"capec-170\",\"created_at\":\"2022-07-06T18:35:44.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794504\",\"type\":\"report\",\"attributes\":{\"title\":\"Corrupt RPC responses from remote daemon nodes can lead to transaction tracing\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-08T20:08:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-09T05:08:35.164Z\",\"closed_at\":\"2022-11-18T20:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-08T20:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:42.348Z\",\"last_program_activity_at\":\"2022-11-18T20:08:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-18T20:08:35.164Z\",\"last_activity_at\":\"2022-11-18T20:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-21T05:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-20T20:08:35.164Z\",\"timer_report_resolved_elapsed_time\":691193,\"timer_report_triage_miss_at\":\"2022-11-10T20:08:35.164Z\",\"timer_report_triage_elapsed_time\":32400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770178\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:42.210Z\"}}},\"weakness\":{\"data\":{\"id\":\"487\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Observable Internal Behavioral Discrepancy\",\"description\":\"The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.\",\"external_id\":\"cwe-206\",\"created_at\":\"2022-07-06T18:01:36.783Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794503\",\"type\":\"report\",\"attributes\":{\"title\":\"Unauthenticated LFI revealing log information\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-07T13:28:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-07T15:28:35.164Z\",\"closed_at\":\"2022-12-07T13:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-07T13:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:40.023Z\",\"last_program_activity_at\":\"2022-12-07T13:28:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-07T13:28:35.164Z\",\"last_activity_at\":\"2022-12-07T13:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T15:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T13:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1900779,\"timer_report_triage_miss_at\":\"2022-11-09T13:28:35.164Z\",\"timer_report_triage_elapsed_time\":7200},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770177\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:39.198Z\"}}},\"weakness\":{\"data\":{\"id\":\"1315\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Parameter Pollution (HPP)\",\"description\":\"An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.\",\"external_id\":\"capec-460\",\"created_at\":\"2022-07-06T18:50:00.662Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794556\",\"type\":\"report\",\"attributes\":{\"title\":\"Roof accessible by unauthorized personnel\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-11-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-11-09T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:23.812Z\",\"last_program_activity_at\":\"2022-11-09T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-09T06:51:18.490Z\",\"last_activity_at\":\"2022-11-09T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770230\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:23.665Z\"}}},\"weakness\":{\"data\":{\"id\":\"1505\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Adding a Space to a File Extension\",\"description\":\"An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.\",\"external_id\":\"capec-649\",\"created_at\":\"2022-07-06T19:02:52.439Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794553\",\"type\":\"report\",\"attributes\":{\"title\":\"Apache web server version disclosure\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-11-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-07T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:18.058Z\",\"last_program_activity_at\":\"2022-11-07T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-07T06:51:14.565Z\",\"last_activity_at\":\"2022-11-07T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770227\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:51:17.947Z\"}}},\"weakness\":{\"data\":{\"id\":\"89\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Exposure Through Directory Listing\",\"description\":\"A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.\",\"external_id\":\"cwe-548\",\"created_at\":\"2017-01-26T23:29:15.748Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794551\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover due to unclaimed S3 bucket\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-06T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-08T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-11-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:10.676Z\",\"last_program_activity_at\":\"2022-11-08T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-08T06:50:22.684Z\",\"last_activity_at\":\"2022-11-08T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794533\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":3},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770225\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:10.515Z\"}}},\"weakness\":{\"data\":{\"id\":\"1032\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Detect Unpublicized Web Pages\",\"description\":\"An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.\",\"external_id\":\"capec-143\",\"created_at\":\"2022-07-06T18:34:04.072Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794502\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-06T06:48:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-06T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:36.693Z\",\"last_program_activity_at\":\"2022-11-29T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T06:48:35.164Z\",\"last_activity_at\":\"2022-11-29T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1406900,\"timer_report_triage_miss_at\":\"2022-11-09T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1406900},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770176\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:48:36.520Z\"}}},\"weakness\":{\"data\":{\"id\":\"129\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Blacklist\",\"description\":\"An application uses a \\\"blacklist\\\" of prohibited values, but the blacklist is incomplete.\",\"external_id\":\"cwe-184\",\"created_at\":\"2018-05-14T20:48:53.932Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794531\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS in article description through /articles/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-04T18:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-05T10:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.555Z\",\"first_program_activity_at\":\"2022-12-06T06:50:17.690Z\",\"last_program_activity_at\":\"2022-11-05T10:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1423\",\"last_public_activity_at\":\"2022-12-09T06:50:23.555Z\",\"last_activity_at\":\"2022-12-09T06:50:23.555Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770205\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:16.967Z\"}}},\"weakness\":{\"data\":{\"id\":\"75\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Privilege Escalation\",\"description\":\"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.\",\"external_id\":\"capec-233\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794525\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - iPhone app XSS in JupiterOne demo Mail\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-31T10:15:37.740Z\",\"vulnerability_information\":\"During a recent security review we did for a big tech giant, we discovered a Cross-Site Scripting (XSS) issue related to how in-app iOS browsers handle the rendering of attachments. We did a quick check to see if a related vulnerability would be present at JupiterOne demo.\\nWe discovered the JupiterOne demo Mail feature is particularly vulnerable to this. The XSS can be used to get access to other messages in a user’s inbox and can be wormified for greater impact.\\nTo reproduce this vulnerability, you need to send the attached file - fb-mail-poc.html (F328174) - to someone’s JupiterOne demo email address. This file contains the proof of concept exploit code. When the user opens the attachment via the JupiterOne demo iPhone app (might work on other mobile devices as well), the attached HTML file containing the exploit gets executed in the same origin as https://iphone.jupiterone.com. In this particular proof of concept, the victim will see their private messages displayed. It would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\\nTo clarify further, when opening the attachment on an iPhone via the JupiterOne demo app, the current session is used to authenticate and render the attachment in the mobile in-app browser. Because of the shared session, the browser can send AJAX calls to https://iphone.jupiterone.com and retrieve content. This also bypasses the frame busting mechanism and JSON obfuscation system, as it is unnecessary to do a cross-domain attack and the retrieved for (;;); can be removed on-the-fly given that the XSS operates in the same origin.\\nBecause we're in the Bay Area now and scheduled to fly back to the Netherlands on Monday, we asked if they could potentially expedite things a bit and see if we could do a meeting at FB and discuss our findings.\\\"\\n\\n## Impact\\n\\nIt would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.308Z\",\"first_program_activity_at\":\"2022-12-06T06:50:02.748Z\",\"last_program_activity_at\":\"2022-11-01T00:15:37.740Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.308Z\",\"last_activity_at\":\"2022-12-09T06:51:43.308Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770199\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:02.620Z\"}}},\"weakness\":{\"data\":{\"id\":\"582\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '....//'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-34\",\"created_at\":\"2022-07-06T18:06:38.373Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770224\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:51:07.895Z\"}}},\"weakness\":{\"data\":{\"id\":\"140\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\",\"description\":\"The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.\",\"external_id\":\"cwe-362\",\"created_at\":\"2018-05-15T14:03:21.939Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442275\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-11-06T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794524\",\"type\":\"report\",\"attributes\":{\"title\":\"API - Using the api, one can obtain the authentication token for any user on jupiterone.com\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-22T17:07:03.454Z\",\"vulnerability_information\":\"Using this request i can get the API token for any user on jupiterone.com.\\n$ curl -s --request GET https://jupiterone.com/api/userid | jq '.authentication_token'\\n\\\"[redacted]\\\"\\n\\n## Impact\\n\\nAccess personal information and access any account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.345Z\",\"first_program_activity_at\":\"2022-12-06T06:50:01.066Z\",\"last_program_activity_at\":\"2022-10-23T00:07:03.454Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.345Z\",\"last_activity_at\":\"2022-12-09T06:51:43.345Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770198\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:00.873Z\"}}},\"weakness\":{\"data\":{\"id\":\"185\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Enforcement of Behavioral Workflow\",\"description\":\"The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.\",\"external_id\":\"cwe-841\",\"created_at\":\"2022-07-05T22:18:12.437Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770223\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:51:05.499Z\"}}},\"weakness\":{\"data\":{\"id\":\"1050\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Exploit Script-Based APIs\",\"description\":\"Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \\u003cscript\\u003e tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.\",\"external_id\":\"capec-160\",\"created_at\":\"2022-07-06T18:35:09.892Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442274\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-23T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794523\",\"type\":\"report\",\"attributes\":{\"title\":\"Authentication - User can bypass 2-factor authentication\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-13T23:58:29.169Z\",\"vulnerability_information\":\"Steps to reproduce:\\n\\n Login to your account and remove your 2FA on your account (if you already setup it)\\n Now go to https://jupiterone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.\\n BYPASS: Get the Embedded Submission URL on their policy page: i get this -\\u003e\\u003e https://jupiterone.com/0a1e1f11-257e-4b46-b949-c7151212ffbb/embedded_submissions/new\\n Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.\\n 2FA requirements successfully bypassed!'\\n\\n## Impact\\n\\nAllow any user to bypass multiple program restrictions, such as the 2FA requirement, report rate limit, and internal abuse limits.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.300Z\",\"first_program_activity_at\":\"2022-12-06T06:49:59.357Z\",\"last_program_activity_at\":\"2022-10-14T20:58:29.169Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.300Z\",\"last_activity_at\":\"2022-12-09T06:51:43.300Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770197\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:59.243Z\"}}},\"weakness\":{\"data\":{\"id\":\"1082\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Black Box Reverse Engineering\",\"description\":\"An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.\",\"external_id\":\"capec-189\",\"created_at\":\"2022-07-06T18:36:57.413Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770222\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:03.081Z\"}}},\"weakness\":{\"data\":{\"id\":\"743\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Inclusion of Sensitive Information in an Include File\",\"description\":\"If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.\",\"external_id\":\"cwe-541\",\"created_at\":\"2022-07-06T18:15:20.987Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442273\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-17T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794530\",\"type\":\"report\",\"attributes\":{\"title\":\"Amazon AWS instance metadata exposed via SSRF in /webhooks/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-10-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-10-05T13:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:12.900Z\",\"first_program_activity_at\":\"2022-12-06T06:50:12.392Z\",\"last_program_activity_at\":\"2022-10-05T13:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1422\",\"last_public_activity_at\":\"2022-12-09T06:50:12.900Z\",\"last_activity_at\":\"2022-12-09T06:50:12.900Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770204\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:12.063Z\"}}},\"weakness\":{\"data\":{\"id\":\"1227\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Using Unpublished Interfaces\",\"description\":\"An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.\",\"external_id\":\"capec-36\",\"created_at\":\"2022-07-06T18:45:01.588Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794522\",\"type\":\"report\",\"attributes\":{\"title\":\"Cloud - Subdomain Takeover on dev.jupiterone.com due to unclaimed domain pointing to AWS\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-05T06:49:54.883Z\",\"vulnerability_information\":\"This is an urgent issue and I hope you will act on it likewise.\\nYour subdomain dev.jupiterone.com is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the DNS-entry:\\nCustomizing Amazon S3 URLs with CNAMEs\\nDepending on your needs, you might not want \\\"s3.amazonaws.com\\\" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.\\nThe bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.\\nSo what happens here is actually that, since media.vine.co is pointing to S3, S3 is actually checking if there's a bucket with that name. Which in this case was not true. So I was able to claim the bucket dev.JupiterOne demo and thus, can place content on this URL.\\nYou should immediately remove the DNS-entry for dev.JupiterOne demo pointing to AWS S3.\\n\\n## Impact\\n\\nSince I have complete control over the subdomain I can do whatever I want on it. The restriction I have now is that I'm not able to serve anything on the root-URL – however – if I would have created the bucket in the correct region (West-1) in AWS, this would've worked.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.295Z\",\"first_program_activity_at\":\"2022-12-06T06:49:57.764Z\",\"last_program_activity_at\":\"2022-10-05T18:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.295Z\",\"last_activity_at\":\"2022-12-09T06:51:43.295Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770196\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:57.398Z\"}}},\"weakness\":{\"data\":{\"id\":\"679\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Return of Pointer Value Outside of Expected Range\",\"description\":\"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.\",\"external_id\":\"cwe-466\",\"created_at\":\"2022-07-06T18:11:52.499Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770221\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:01.073Z\"}}},\"weakness\":{\"data\":{\"id\":\"764\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Assignment to Variable without Use\",\"description\":\"The variable's value is assigned but never used, making it a dead store.\",\"external_id\":\"cwe-563\",\"created_at\":\"2022-07-06T18:16:26.136Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442272\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-11T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770220\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:58.474Z\"}}},\"weakness\":{\"data\":{\"id\":\"1481\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Compromising Emanations Attack\",\"description\":\"Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.\",\"external_id\":\"capec-623\",\"created_at\":\"2022-07-06T19:01:40.982Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442271\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770219\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:53.914Z\"}}},\"weakness\":{\"data\":{\"id\":\"647\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Protection of Alternate Path\",\"description\":\"The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.\",\"external_id\":\"cwe-424\",\"created_at\":\"2022-07-06T18:10:10.440Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442270\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-26T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770218\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:50.062Z\"}}},\"weakness\":{\"data\":{\"id\":\"1098\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Create Malicious Client\",\"description\":\"An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.\",\"external_id\":\"capec-202\",\"created_at\":\"2022-07-06T18:37:45.211Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442269\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770217\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:47.777Z\"}}},\"weakness\":{\"data\":{\"id\":\"131\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Neutralization of Escape, Meta, or Control Sequences\",\"description\":\"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.\",\"external_id\":\"cwe-150\",\"created_at\":\"2018-05-14T20:48:55.546Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442268\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-08T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794555\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoices publicly accessible when invoice secret nonce is known\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-08-21T18:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-08-25T18:51:18.490Z\",\"last_reporter_activity_at\":\"2022-08-21T18:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:21.812Z\",\"last_program_activity_at\":\"2022-08-25T18:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-25T18:51:18.490Z\",\"last_activity_at\":\"2022-08-25T18:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770229\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:21.700Z\"}}},\"weakness\":{\"data\":{\"id\":\"1335\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Malicious Root Certificate\",\"description\":\"An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\",\"external_id\":\"capec-479\",\"created_at\":\"2022-07-06T18:51:02.357Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\"}}" + "text": "{\"data\":[{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770181\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:51.190Z\"}}},\"weakness\":{\"data\":{\"id\":\"1572\",\"type\":\"weakness\",\"attributes\":{\"name\":\"DEPRECATED: XML Parser Attack\",\"description\":\"This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.\",\"external_id\":\"capec-99\",\"created_at\":\"2022-07-06T19:06:25.933Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442247\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-24T16:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770180\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:48.083Z\"}}},\"weakness\":{\"data\":{\"id\":\"1577\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Default Password\",\"description\":\"The product uses default passwords for potentially critical functionality.\",\"external_id\":\"cwe-1393\",\"created_at\":\"2022-12-06T06:00:45.688Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442246\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-09T09:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770179\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:45.002Z\"}}},\"weakness\":{\"data\":{\"id\":\"1491\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Alternative Execution Due to Deceptive Filenames\",\"description\":\"The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.\",\"external_id\":\"capec-635\",\"created_at\":\"2022-07-06T19:02:10.604Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442245\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-13T02:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794526\",\"type\":\"report\",\"attributes\":{\"title\":\"Kubernetes - Blind SSRF on JupiterOne demo.canary.k8s.io\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-09T03:24:12.026Z\",\"vulnerability_information\":\"A blind server-side request forgery (SSRF) was found at the endpoint http://JupiterOne demo.canary.k8s.io/api/snapshots via a JSON parameter. An attacker can force the host to make a request to arbitrary URLs.\\n\\n## Impact\\n\\nAn attacker can force the host to make a request to arbitrary URLs. Allowing us to assume host permissions and access internal infrastructure - including private data.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.296Z\",\"first_program_activity_at\":\"2022-12-06T06:50:04.277Z\",\"last_program_activity_at\":\"2022-11-09T15:24:12.026Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.296Z\",\"last_activity_at\":\"2022-12-09T06:51:43.296Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770200\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:04.155Z\"}}},\"weakness\":{\"data\":{\"id\":\"1062\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Application Fingerprinting\",\"description\":\"An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.\",\"external_id\":\"capec-170\",\"created_at\":\"2022-07-06T18:35:44.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794504\",\"type\":\"report\",\"attributes\":{\"title\":\"Corrupt RPC responses from remote daemon nodes can lead to transaction tracing\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-08T20:08:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-09T05:08:35.164Z\",\"closed_at\":\"2022-11-18T20:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-08T20:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:42.348Z\",\"last_program_activity_at\":\"2022-11-18T20:08:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-18T20:08:35.164Z\",\"last_activity_at\":\"2022-11-18T20:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-21T05:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-20T20:08:35.164Z\",\"timer_report_resolved_elapsed_time\":691193,\"timer_report_triage_miss_at\":\"2022-11-10T20:08:35.164Z\",\"timer_report_triage_elapsed_time\":32400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770178\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:42.210Z\"}}},\"weakness\":{\"data\":{\"id\":\"487\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Observable Internal Behavioral Discrepancy\",\"description\":\"The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.\",\"external_id\":\"cwe-206\",\"created_at\":\"2022-07-06T18:01:36.783Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794503\",\"type\":\"report\",\"attributes\":{\"title\":\"Unauthenticated LFI revealing log information\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-07T13:28:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-07T15:28:35.164Z\",\"closed_at\":\"2022-12-07T13:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-07T13:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:40.023Z\",\"last_program_activity_at\":\"2022-12-07T13:28:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-07T13:28:35.164Z\",\"last_activity_at\":\"2022-12-07T13:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T15:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T13:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1900779,\"timer_report_triage_miss_at\":\"2022-11-09T13:28:35.164Z\",\"timer_report_triage_elapsed_time\":7200},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770177\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:39.198Z\"}}},\"weakness\":{\"data\":{\"id\":\"1315\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Parameter Pollution (HPP)\",\"description\":\"An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.\",\"external_id\":\"capec-460\",\"created_at\":\"2022-07-06T18:50:00.662Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794556\",\"type\":\"report\",\"attributes\":{\"title\":\"Roof accessible by unauthorized personnel\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-11-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-11-09T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:23.812Z\",\"last_program_activity_at\":\"2022-11-09T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-09T06:51:18.490Z\",\"last_activity_at\":\"2022-11-09T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770230\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:23.665Z\"}}},\"weakness\":{\"data\":{\"id\":\"1505\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Adding a Space to a File Extension\",\"description\":\"An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.\",\"external_id\":\"capec-649\",\"created_at\":\"2022-07-06T19:02:52.439Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794553\",\"type\":\"report\",\"attributes\":{\"title\":\"Apache web server version disclosure\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-11-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-07T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:18.058Z\",\"last_program_activity_at\":\"2022-11-07T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-07T06:51:14.565Z\",\"last_activity_at\":\"2022-11-07T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770227\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:51:17.947Z\"}}},\"weakness\":{\"data\":{\"id\":\"89\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Exposure Through Directory Listing\",\"description\":\"A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.\",\"external_id\":\"cwe-548\",\"created_at\":\"2017-01-26T23:29:15.748Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794551\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover due to unclaimed S3 bucket\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-06T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-08T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-11-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:10.676Z\",\"last_program_activity_at\":\"2022-11-08T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-08T06:50:22.684Z\",\"last_activity_at\":\"2022-11-08T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794533\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":3},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770225\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:10.515Z\"}}},\"weakness\":{\"data\":{\"id\":\"1032\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Detect Unpublicized Web Pages\",\"description\":\"An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.\",\"external_id\":\"capec-143\",\"created_at\":\"2022-07-06T18:34:04.072Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794502\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-06T06:48:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-06T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:36.693Z\",\"last_program_activity_at\":\"2022-11-29T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T06:48:35.164Z\",\"last_activity_at\":\"2022-11-29T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1406900,\"timer_report_triage_miss_at\":\"2022-11-09T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1406900},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770176\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:48:36.520Z\"}}},\"weakness\":{\"data\":{\"id\":\"129\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Blacklist\",\"description\":\"An application uses a \\\"blacklist\\\" of prohibited values, but the blacklist is incomplete.\",\"external_id\":\"cwe-184\",\"created_at\":\"2018-05-14T20:48:53.932Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794531\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS in article description through /articles/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-04T18:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-05T10:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.555Z\",\"first_program_activity_at\":\"2022-12-06T06:50:17.690Z\",\"last_program_activity_at\":\"2022-11-05T10:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1423\",\"last_public_activity_at\":\"2022-12-09T06:50:23.555Z\",\"last_activity_at\":\"2022-12-09T06:50:23.555Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770205\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:16.967Z\"}}},\"weakness\":{\"data\":{\"id\":\"75\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Privilege Escalation\",\"description\":\"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.\",\"external_id\":\"capec-233\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794525\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - iPhone app XSS in JupiterOne demo Mail\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-31T10:15:37.740Z\",\"vulnerability_information\":\"During a recent security review we did for a big tech giant, we discovered a Cross-Site Scripting (XSS) issue related to how in-app iOS browsers handle the rendering of attachments. We did a quick check to see if a related vulnerability would be present at JupiterOne demo.\\nWe discovered the JupiterOne demo Mail feature is particularly vulnerable to this. The XSS can be used to get access to other messages in a user’s inbox and can be wormified for greater impact.\\nTo reproduce this vulnerability, you need to send the attached file - fb-mail-poc.html (F328174) - to someone’s JupiterOne demo email address. This file contains the proof of concept exploit code. When the user opens the attachment via the JupiterOne demo iPhone app (might work on other mobile devices as well), the attached HTML file containing the exploit gets executed in the same origin as https://iphone.jupiterone.com. In this particular proof of concept, the victim will see their private messages displayed. It would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\\nTo clarify further, when opening the attachment on an iPhone via the JupiterOne demo app, the current session is used to authenticate and render the attachment in the mobile in-app browser. Because of the shared session, the browser can send AJAX calls to https://iphone.jupiterone.com and retrieve content. This also bypasses the frame busting mechanism and JSON obfuscation system, as it is unnecessary to do a cross-domain attack and the retrieved for (;;); can be removed on-the-fly given that the XSS operates in the same origin.\\nBecause we're in the Bay Area now and scheduled to fly back to the Netherlands on Monday, we asked if they could potentially expedite things a bit and see if we could do a meeting at FB and discuss our findings.\\\"\\n\\n## Impact\\n\\nIt would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.308Z\",\"first_program_activity_at\":\"2022-12-06T06:50:02.748Z\",\"last_program_activity_at\":\"2022-11-01T00:15:37.740Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.308Z\",\"last_activity_at\":\"2022-12-09T06:51:43.308Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770199\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:02.620Z\"}}},\"weakness\":{\"data\":{\"id\":\"582\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '....//'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-34\",\"created_at\":\"2022-07-06T18:06:38.373Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770224\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:51:07.895Z\"}}},\"weakness\":{\"data\":{\"id\":\"140\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\",\"description\":\"The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.\",\"external_id\":\"cwe-362\",\"created_at\":\"2018-05-15T14:03:21.939Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442275\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-11-06T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794524\",\"type\":\"report\",\"attributes\":{\"title\":\"API - Using the api, one can obtain the authentication token for any user on jupiterone.com\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-22T17:07:03.454Z\",\"vulnerability_information\":\"Using this request i can get the API token for any user on jupiterone.com.\\n$ curl -s --request GET https://jupiterone.com/api/userid | jq '.authentication_token'\\n\\\"[redacted]\\\"\\n\\n## Impact\\n\\nAccess personal information and access any account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.345Z\",\"first_program_activity_at\":\"2022-12-06T06:50:01.066Z\",\"last_program_activity_at\":\"2022-10-23T00:07:03.454Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.345Z\",\"last_activity_at\":\"2022-12-09T06:51:43.345Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770198\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:00.873Z\"}}},\"weakness\":{\"data\":{\"id\":\"185\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Enforcement of Behavioral Workflow\",\"description\":\"The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.\",\"external_id\":\"cwe-841\",\"created_at\":\"2022-07-05T22:18:12.437Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770223\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:51:05.499Z\"}}},\"weakness\":{\"data\":{\"id\":\"1050\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Exploit Script-Based APIs\",\"description\":\"Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \\u003cscript\\u003e tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.\",\"external_id\":\"capec-160\",\"created_at\":\"2022-07-06T18:35:09.892Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442274\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-23T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794523\",\"type\":\"report\",\"attributes\":{\"title\":\"Authentication - User can bypass 2-factor authentication\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-13T23:58:29.169Z\",\"vulnerability_information\":\"Steps to reproduce:\\n\\n Login to your account and remove your 2FA on your account (if you already setup it)\\n Now go to https://jupiterone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.\\n BYPASS: Get the Embedded Submission URL on their policy page: i get this -\\u003e\\u003e https://jupiterone.com/0a1e1f11-257e-4b46-b949-c7151212ffbb/embedded_submissions/new\\n Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.\\n 2FA requirements successfully bypassed!'\\n\\n## Impact\\n\\nAllow any user to bypass multiple program restrictions, such as the 2FA requirement, report rate limit, and internal abuse limits.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.300Z\",\"first_program_activity_at\":\"2022-12-06T06:49:59.357Z\",\"last_program_activity_at\":\"2022-10-14T20:58:29.169Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.300Z\",\"last_activity_at\":\"2022-12-09T06:51:43.300Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770197\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:59.243Z\"}}},\"weakness\":{\"data\":{\"id\":\"1082\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Black Box Reverse Engineering\",\"description\":\"An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.\",\"external_id\":\"capec-189\",\"created_at\":\"2022-07-06T18:36:57.413Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770222\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:03.081Z\"}}},\"weakness\":{\"data\":{\"id\":\"743\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Inclusion of Sensitive Information in an Include File\",\"description\":\"If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.\",\"external_id\":\"cwe-541\",\"created_at\":\"2022-07-06T18:15:20.987Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442273\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-17T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794530\",\"type\":\"report\",\"attributes\":{\"title\":\"Amazon AWS instance metadata exposed via SSRF in /webhooks/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-10-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-10-05T13:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:12.900Z\",\"first_program_activity_at\":\"2022-12-06T06:50:12.392Z\",\"last_program_activity_at\":\"2022-10-05T13:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1422\",\"last_public_activity_at\":\"2022-12-09T06:50:12.900Z\",\"last_activity_at\":\"2022-12-09T06:50:12.900Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770204\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:12.063Z\"}}},\"weakness\":{\"data\":{\"id\":\"1227\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Using Unpublished Interfaces\",\"description\":\"An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.\",\"external_id\":\"capec-36\",\"created_at\":\"2022-07-06T18:45:01.588Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794522\",\"type\":\"report\",\"attributes\":{\"title\":\"Cloud - Subdomain Takeover on dev.jupiterone.com due to unclaimed domain pointing to AWS\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-05T06:49:54.883Z\",\"vulnerability_information\":\"This is an urgent issue and I hope you will act on it likewise.\\nYour subdomain dev.jupiterone.com is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the DNS-entry:\\nCustomizing Amazon S3 URLs with CNAMEs\\nDepending on your needs, you might not want \\\"s3.amazonaws.com\\\" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.\\nThe bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.\\nSo what happens here is actually that, since media.vine.co is pointing to S3, S3 is actually checking if there's a bucket with that name. Which in this case was not true. So I was able to claim the bucket dev.JupiterOne demo and thus, can place content on this URL.\\nYou should immediately remove the DNS-entry for dev.JupiterOne demo pointing to AWS S3.\\n\\n## Impact\\n\\nSince I have complete control over the subdomain I can do whatever I want on it. The restriction I have now is that I'm not able to serve anything on the root-URL – however – if I would have created the bucket in the correct region (West-1) in AWS, this would've worked.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.295Z\",\"first_program_activity_at\":\"2022-12-06T06:49:57.764Z\",\"last_program_activity_at\":\"2022-10-05T18:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.295Z\",\"last_activity_at\":\"2022-12-09T06:51:43.295Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770196\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:57.398Z\"}}},\"weakness\":{\"data\":{\"id\":\"679\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Return of Pointer Value Outside of Expected Range\",\"description\":\"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.\",\"external_id\":\"cwe-466\",\"created_at\":\"2022-07-06T18:11:52.499Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770221\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:01.073Z\"}}},\"weakness\":{\"data\":{\"id\":\"764\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Assignment to Variable without Use\",\"description\":\"The variable's value is assigned but never used, making it a dead store.\",\"external_id\":\"cwe-563\",\"created_at\":\"2022-07-06T18:16:26.136Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442272\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-11T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770220\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:58.474Z\"}}},\"weakness\":{\"data\":{\"id\":\"1481\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Compromising Emanations Attack\",\"description\":\"Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.\",\"external_id\":\"capec-623\",\"created_at\":\"2022-07-06T19:01:40.982Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442271\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770219\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:53.914Z\"}}},\"weakness\":{\"data\":{\"id\":\"647\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Protection of Alternate Path\",\"description\":\"The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.\",\"external_id\":\"cwe-424\",\"created_at\":\"2022-07-06T18:10:10.440Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442270\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-26T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770218\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:50.062Z\"}}},\"weakness\":{\"data\":{\"id\":\"1098\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Create Malicious Client\",\"description\":\"An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.\",\"external_id\":\"capec-202\",\"created_at\":\"2022-07-06T18:37:45.211Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442269\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770217\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:47.777Z\"}}},\"weakness\":{\"data\":{\"id\":\"131\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Neutralization of Escape, Meta, or Control Sequences\",\"description\":\"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.\",\"external_id\":\"cwe-150\",\"created_at\":\"2018-05-14T20:48:55.546Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442268\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-08T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794555\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoices publicly accessible when invoice secret nonce is known\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-08-21T18:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-08-25T18:51:18.490Z\",\"last_reporter_activity_at\":\"2022-08-21T18:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:21.812Z\",\"last_program_activity_at\":\"2022-08-25T18:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-25T18:51:18.490Z\",\"last_activity_at\":\"2022-08-25T18:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770229\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:21.700Z\"}}},\"weakness\":{\"data\":{\"id\":\"1335\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Malicious Root Certificate\",\"description\":\"An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\",\"external_id\":\"capec-479\",\"created_at\":\"2022-07-06T18:51:02.357Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\"}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Mon, 19 Dec 2022 22:59:31 GMT" + "value": "Mon, 23 Jan 2023 10:02:18 GMT" }, { "name": "content-type", @@ -208,7 +651,153 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "362b0f3f-51ea-4aee-a912-40de1ba539c0" + }, + { + "name": "etag", + "value": "W/\"91aa40283a5f99ef4f007b1cb6cf4d43\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb15f9cc30441-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:16.533Z", + "time": 1745, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 1745 + } + }, + { + "_id": "a3f61cbdf75c9b2ead143229379dca10", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 250, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "filter", + "value": { + "program": [ + "jupiterone_demo_h1b" + ] + } + }, + { + "name": "page", + "value": { + "number": "3" + } + } + ], + "url": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b&page%5Bnumber%5D=3" + }, + "response": { + "bodySize": 57546, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 57546, + "text": "{\"data\":[{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770216\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:45.240Z\"}}},\"weakness\":{\"data\":{\"id\":\"368\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Sequence of Processor Instructions Leads to Unexpected Behavior\",\"description\":\"Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.\",\"external_id\":\"cwe-1281\",\"created_at\":\"2022-07-06T17:55:18.024Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442267\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-26T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770215\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:42.756Z\"}}},\"weakness\":{\"data\":{\"id\":\"524\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '/../filedir'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \\\"/../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-25\",\"created_at\":\"2022-07-06T18:03:34.165Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442266\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-18T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770214\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:40.229Z\"}}},\"weakness\":{\"data\":{\"id\":\"987\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Altered Installed BIOS\",\"description\":\"An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.\",\"external_id\":\"capec-532\",\"created_at\":\"2022-07-06T18:31:30.687Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442265\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770213\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:50:37.857Z\"}}},\"weakness\":{\"data\":{\"id\":\"333\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Finite State Machines (FSMs) in Hardware Logic\",\"description\":\"Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.\",\"external_id\":\"cwe-1245\",\"created_at\":\"2022-07-06T17:53:28.520Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442264\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-07T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770212\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:35.494Z\"}}},\"weakness\":{\"data\":{\"id\":\"1236\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Content Spoofing Via Application API Manipulation\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.\",\"external_id\":\"capec-389\",\"created_at\":\"2022-07-06T18:45:26.096Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442263\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-24T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770211\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:32.788Z\"}}},\"weakness\":{\"data\":{\"id\":\"400\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Security Checks in Fabric Bridge\",\"description\":\"A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge.\",\"external_id\":\"cwe-1317\",\"created_at\":\"2022-07-06T17:57:00.415Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442262\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-22T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770210\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:30.368Z\"}}},\"weakness\":{\"data\":{\"id\":\"269\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Encapsulation of Machine-Dependent Functionality\",\"description\":\"The product or code uses machine-dependent functionality, but\\n\\t\\t\\t\\t\\tit does not sufficiently encapsulate or isolate this functionality from\\n\\t\\t\\t\\t\\tthe rest of the code.\",\"external_id\":\"cwe-1105\",\"created_at\":\"2022-07-06T17:50:03.202Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442261\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794535\",\"type\":\"report\",\"attributes\":{\"title\":\"Administration backend vulnerable for blind XSS vulnerability\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-23T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-23T17:50:22.684Z\",\"closed_at\":\"2022-06-26T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-23T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:28.342Z\",\"last_program_activity_at\":\"2022-06-26T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-26T06:50:22.684Z\",\"last_activity_at\":\"2022-06-26T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770209\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:28.205Z\"}}},\"weakness\":{\"data\":{\"id\":\"618\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Symbolic Name not Mapping to Correct Object\",\"description\":\"A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.\",\"external_id\":\"cwe-386\",\"created_at\":\"2022-07-06T18:08:33.220Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794534\",\"type\":\"report\",\"attributes\":{\"title\":\"Reading local files through template parameter in article designer\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-14T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-15T14:50:22.684Z\",\"closed_at\":\"2022-06-18T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-14T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:26.156Z\",\"last_program_activity_at\":\"2022-06-18T18:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-18T18:50:22.684Z\",\"last_activity_at\":\"2022-06-18T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770208\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:26.015Z\"}}},\"weakness\":{\"data\":{\"id\":\"1316\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Services API Signature Forgery Leveraging Hash Function Extension Weakness\",\"description\":\"When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash (as described in the notes). Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\",\"external_id\":\"capec-461\",\"created_at\":\"2022-07-06T18:50:04.065Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794554\",\"type\":\"report\",\"attributes\":{\"title\":\"Previously used email address does not receive update confirmation\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-06-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:19.957Z\",\"last_program_activity_at\":\"2022-06-07T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:51:18.490Z\",\"last_activity_at\":\"2022-06-07T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770228\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:19.847Z\"}}},\"weakness\":{\"data\":{\"id\":\"922\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.\",\"external_id\":\"cwe-791\",\"created_at\":\"2022-07-06T18:27:54.523Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794552\",\"type\":\"report\",\"attributes\":{\"title\":\"CKEditor example directory publicly accessible\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-06-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-09T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:16.276Z\",\"last_program_activity_at\":\"2022-06-09T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-09T06:51:14.565Z\",\"last_activity_at\":\"2022-06-09T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770226\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:16.164Z\"}}},\"weakness\":{\"data\":{\"id\":\"583\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Generation of Predictable Numbers or Identifiers\",\"description\":\"The product uses a scheme that generates numbers or identifiers that are more predictable than required.\",\"external_id\":\"cwe-340\",\"created_at\":\"2022-07-06T18:06:46.326Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794533\",\"type\":\"report\",\"attributes\":{\"title\":\"Unclaimed Amazon S3 bucket leads to marketing subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-06T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:24.019Z\",\"last_program_activity_at\":\"2022-06-07T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:50:22.684Z\",\"last_activity_at\":\"2022-06-07T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770207\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:23.866Z\"}}},\"weakness\":{\"data\":{\"id\":\"102\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Client-Side Enforcement of Server-Side Security\",\"description\":\"The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.\",\"external_id\":\"cwe-602\",\"created_at\":\"2017-03-10T18:53:51.436Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:19 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" }, { "name": "vary", @@ -216,11 +805,11 @@ }, { "name": "x-request-id", - "value": "229bf991-6d86-4963-9bb3-da6fbbf5a3ba" + "value": "c9f44ea1-65af-42e2-8284-dacb684fa657" }, { "name": "etag", - "value": "W/\"9e0a605fec39254453ffebff76ad1c41\"" + "value": "W/\"2ad09b624fee4df0e6f94ce078cd12d7\"" }, { "name": "cache-control", @@ -260,7 +849,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -272,17 +861,17 @@ }, { "name": "cf-ray", - "value": "77c3bfbf8cd32823-SLC" + "value": "78dfb16a89760441-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-19T22:59:29.586Z", - "time": 2156, + "startedDateTime": "2023-01-23T10:02:18.288Z", + "time": 1470, "timings": { "blocked": -1, "connect": -1, @@ -290,7 +879,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 2156 + "wait": 1470 } } ], diff --git a/src/steps/report/__recordings__/fetch-reports_2954775705/recording.har b/src/steps/report/__recordings__/fetch-reports_2954775705/recording.har index d00f5df..676a622 100644 --- a/src/steps/report/__recordings__/fetch-reports_2954775705/recording.har +++ b/src/steps/report/__recordings__/fetch-reports_2954775705/recording.har @@ -7,6 +7,449 @@ "version": "6.0.5" }, "entries": [ + { + "_id": "2fd9190ee6ee5d6441d452419593ba03", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 362, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/me/organizations?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 212, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 212, + "text": "{\"data\":[{\"id\":\"53696\",\"type\":\"organization\",\"attributes\":{\"handle\":\"jupiterone_demo_demo\",\"created_at\":\"2022-12-06T06:48:20.843Z\",\"updated_at\":\"2022-12-06T06:48:20.843Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "7f61665a-77f8-4866-9222-cc11ec5f16de" + }, + { + "name": "etag", + "value": "W/\"903da775d605439f0ae0f263be789661\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f46d4c04fb-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:58.976Z", + "time": 925, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 925 + } + }, + { + "_id": "a22ea652b31729e5daea0e965ed6d97c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "name": "host", + "value": "api.hackerone.com" + }, + { + "name": "authorization", + "value": "[REDACTED]" + } + ], + "headersSize": 189, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.hackerone.com/v1/me/programs" + }, + "response": { + "bodySize": 8566, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 8566, + "text": "{\"data\":[{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"policy\":\"# What we are looking for\\r\\nWe want to proactively discover and remediate security vulnerabilities on our digital assets\\r\\n\\r\\nThe vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, the proportion of systems or users affected.\\r\\n\\r\\n# What is a Bug Bounty Program?\\r\\nJupiterOne demo’s Bug Bounty Program (BBP) is an initiative driven and managed by the JupiterOne demo Information Security team. \\r\\n\\r\\n* Security researchers are encouraged to report any behavior impacting the information security posture of JupiterOne demo’ products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\\r\\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\\r\\n *Reference HackerOne guidance on writing quality reports:\\r\\n * https://docs.hackerone.com/hackers/quality-reports.html \\r\\n * https://www.hacker101.com/sessions/good_reports\\r\\n\\r\\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\\r\\n* We will work with the affected teams to validate the report.\\r\\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\\r\\n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\\r\\n\\r\\n\\r\\n# Response Targets\\r\\nWe will make a best effort to meet the following response targets for hackers participating in our program:\\r\\n\\r\\n* Time to first response (from report submit) - 1 business days\\r\\n* Time to triage (from report submit) - 2 business days \\r\\n* Time to bounty (from triage) - 10 business days\\r\\n\\r\\nWe’ll try to keep you informed about our progress throughout the process.\\r\\n\\r\\n# Program Rules\\r\\n* Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.\\r\\n* Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to any property/system/service/data not listed below.\\r\\n* If you encounter Personally Identifiable Information (PII) contact us immediately. Do not proceed with access and immediately purge any local information, if applicable.\\r\\n* Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.\\r\\n\\r\\n* Submit one vulnerability per- report, unless you need to chain vulnerabilities to provide impact.\\r\\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\\r\\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\\r\\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\\r\\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\\r\\n\\r\\n# Disclosure Policy\\r\\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\\r\\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\\r\\n\\r\\n\\r\\n# How To Create Accounts\\r\\n* Go to our Website\\r\\n* Register \\r\\n* use @hackerone.com email address\\r\\n* Only use accounts you're authorised to access\\r\\n\\r\\n# Rewards\\r\\nOur rewards are based on severity per the Common Vulnerability Scoring Standard (CVSS). Please note these are general guidelines, and that reward decisions are up to the discretion of JupiterOne demo.\\r\\n\\r\\n#Out of scope vulnerabilities\\r\\n\\r\\n\\r\\n***Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.***\\r\\n\\r\\nThe following issues are considered out of scope:\\r\\n \\r\\n When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\\r\\n\\r\\n* Disruption of our service (DoS, DDoS).\\r\\n* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers\\r\\n* Reports from automated tools or scans\\r\\n* Social engineering of employees or contractors\\r\\n* For the time being we are making all vulnerabilities in Flash files out of scope\\r\\n* Reports affecting outdated browsers\\r\\n* Known vulnerabilities on deprecated assets not currently covered by CloudFlare.\\r\\n* Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)\\r\\n* Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these\\r\\n* Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)\\r\\n* Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)\\r\\n* Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user\\r\\n* Lack of HTTPS\\r\\n* Reports about insecure SSL / TLS configuration\\r\\n* Password complexityrequirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address is easy to guess\\r\\n* Presence/Lack of autocomplete attribute on web forms/password managers\\r\\n* Server Banner Disclosure/Technology used Disclosure\\r\\n* Full Path Disclosure\\r\\n* IP Address Disclosure\\r\\n* CSRF on logout or insignificant functionalities\\r\\n* Publicly accessible login panels\\r\\n* Clickjacking\\r\\n* CSS Injection attacks (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)\\r\\n* Tabnabbing\\r\\n* Host Header Injection (Unless it givesyou access to interim proxies)\\r\\n* Cache Poisoning\\r\\n* Reflective File Download\\r\\n* Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped\\r\\n* Private IP/Hostname disclosures or real IP disclosures for services using CDN\\r\\n* Open ports which do not lead directly to a vulnerability\\r\\n* Weak Certificate Hash Algorithm\\r\\n* Any physical/wireless attempt against our property or data centers\\r\\n\\r\\n# Safe Harbor \\r\\nThis policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations, including but not limited to:\\r\\n\\r\\n* The General Data Protection Regulation 2016/679 (GDPR) andthe Data Protection Act 2018\\r\\n\\r\\nWe affirm that we will not seek prosecution of any security researcher who reports any security vulnerability on a service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.\\r\\n\\r\\nJupiterOne demo cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\\r\\n\\r\\nThank you for helping keep us and our users safe!\\r\\n\\n\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:00 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "transfer-encoding", + "value": "chunked" + }, + { + "name": "connection", + "value": "keep-alive" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "b124e408-856c-4d11-adc1-014f7250b9ff" + }, + { + "name": "etag", + "value": "W/\"e1a9449c7a1cda0302693d05b6c317e6\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0f9bb4e107a-HKG" + } + ], + "headersSize": 1563, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:01:59.914Z", + "time": 891, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 891 + } + }, + { + "_id": "708ab38f737a8f1a3c1bac76c1a4100d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "authorization", + "value": "[REDACTED]" + }, + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "user-agent", + "value": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" + }, + { + "_fromType": "array", + "name": "accept-encoding", + "value": "gzip,deflate" + }, + { + "_fromType": "array", + "name": "connection", + "value": "close" + }, + { + "name": "host", + "value": "api.hackerone.com" + } + ], + "headersSize": 378, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [ + { + "name": "page", + "value": { + "number": "1", + "size": "50" + } + } + ], + "url": "https://api.hackerone.com/v1/programs/60700/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=50" + }, + "response": { + "bodySize": 1072, + "content": { + "mimeType": "application/json; charset=utf-8", + "size": 1072, + "text": "{\"data\":[{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}},{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}},{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}},{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}},{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}},{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}},{\"id\":\"274636\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"blog.jupiterone.com\",\"eligible_for_bounty\":false,\"eligible_for_submission\":false,\"instruction\":null,\"max_severity\":\"none\",\"created_at\":\"2022-12-06T06:48:25.623Z\",\"updated_at\":\"2022-12-06T06:48:25.623Z\",\"reference\":null}}],\"links\":{}}" + }, + "cookies": [], + "headers": [ + { + "name": "date", + "value": "Mon, 23 Jan 2023 10:02:02 GMT" + }, + { + "name": "content-type", + "value": "application/json; charset=utf-8" + }, + { + "name": "connection", + "value": "close" + }, + { + "name": "vary", + "value": "Accept" + }, + { + "name": "x-request-id", + "value": "1ced1cd9-0682-4bc6-875f-464491f34061" + }, + { + "name": "etag", + "value": "W/\"a8da2cf553bc7ce6cfd7111bcd24f6a8\"" + }, + { + "name": "cache-control", + "value": "max-age=0, private, must-revalidate" + }, + { + "name": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains; preload" + }, + { + "name": "x-frame-options", + "value": "DENY" + }, + { + "name": "x-content-type-options", + "value": "nosniff" + }, + { + "name": "x-xss-protection", + "value": "1; mode=block" + }, + { + "name": "x-download-options", + "value": "noopen" + }, + { + "name": "x-permitted-cross-domain-policies", + "value": "none" + }, + { + "name": "referrer-policy", + "value": "strict-origin-when-cross-origin" + }, + { + "name": "expect-ct", + "value": "enforce, max-age=86400" + }, + { + "name": "content-security-policy", + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + }, + { + "name": "cf-cache-status", + "value": "DYNAMIC" + }, + { + "name": "server", + "value": "cloudflare" + }, + { + "name": "cf-ray", + "value": "78dfb0fd5ebe107a-HKG" + } + ], + "headersSize": 1582, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2023-01-23T10:02:00.813Z", + "time": 1067, + "timings": { + "blocked": -1, + "connect": -1, + "dns": -1, + "receive": 0, + "send": 0, + "ssl": -1, + "wait": 1067 + } + }, { "_id": "cdb20c629ba520c8f92fdb847b1b594a", "_order": 0, @@ -44,13 +487,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 135165, - "text": "{\"data\":[{\"id\":\"1795020\",\"type\":\"report\",\"attributes\":{\"title\":\"Demo report: XSS in JupiterOne demo H1B home page\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T17:18:15.515Z\",\"vulnerability_information\":\"In some ***fantasy world***, the home page of JupiterOne demo H1B is vulnerable to an *imaginary* Cross-Site Scripting attack.\\n\\n1. Visit home page of JupiterOne demo H1B\\n2. Open the browser's javascript console\\n3. Type `alert(/xss!/)` and press enter\\n4. Profit!\\n\\n## Impact\\n\\nIn our fantasy world, exploiting this vulnerability allows us to run an external script on your website that for example steals the cookies of the users that's facing the XSS and thus gaining access to the account of the victim.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T17:18:16.437Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T17:18:16.437Z\",\"last_activity_at\":\"2022-12-09T17:18:16.437Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"2522558\",\"type\":\"user\",\"attributes\":{\"username\":\"ninetreats00\",\"name\":\"Sam Andrus\",\"disabled\":false,\"created_at\":\"2022-12-06T17:18:09.499Z\",\"profile_picture\":{\"62x62\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"82x82\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"110x110\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"260x260\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":null,\"website\":null,\"location\":null,\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"weakness\":{\"data\":{\"id\":\"1450\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Absolute Path Traversal\",\"description\":\"An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \\\"..\\\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.\",\"external_id\":\"capec-597\",\"created_at\":\"2022-07-06T18:59:45.367Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794559\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup SQL file lingering on https://ops.jupiterone.com/\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:51:29.205Z\",\"vulnerability_information\":\"The JupiterOne demo Ops website - `ops.jupiterone.com` has a lingering SQL backup file that is\\npublicly accessible and downloadable. The file contains a SQL database backup that contains\\nprivileged user information and secret keys.\\n# Steps to Reproduce\\n- Head over to https://ops.jupiterone.com/tmp/backup.sql\\n- Inspect the raw SQL. E.g. search for `encryption_key` or `password`.\\n# PoC\\nhttps://ops.jupiterone.com/tmp/backup.sql:\\n{F2063870}\\n\\n# Remediation\\nEnsure the file is removed from the server or protected with a proper authentication mechanism\\nthat prevents unprivileged users from accessing this sensitive information.\\n\\n## Impact\\n\\nAny customer of JupiterOne demo that has this system will be\\nimpacted by this vulnerability. An attacker could easily gain access to whatever they are\\ntrying to protect by exploiting this vulnerability.\",\"triaged_at\":\"2022-12-06T06:51:29.423Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:29.929Z\",\"first_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"last_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:29.929Z\",\"last_activity_at\":\"2022-12-09T06:51:29.929Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"4954\",\"type\":\"user\",\"attributes\":{\"username\":\"demo-member\",\"name\":\"Demo Member\",\"disabled\":false,\"created_at\":\"2014-04-14T11:45:00.949Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":\"I'm here to help test drive, and am automatically removed at launch.\",\"website\":null,\"location\":\"testing\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770233\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:29.279Z\",\"score\":10.0,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"changed\"}}},\"weakness\":{\"data\":{\"id\":\"18\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Disclosure\",\"description\":\"An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.\",\"external_id\":\"cwe-200\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794558\",\"type\":\"report\",\"attributes\":{\"title\":\"Private Data - Mass account takeovers using HTTP Request Smuggling on qa.jupiterone.com to steal session cookies\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:27.360Z\",\"vulnerability_information\":\"Hi JupiterOne demo Security Team!\\nMy name is cosmo and I'm a first time bug hunter to your platform. I decided to take a little of my time and gently perform recon on your platform. Specifically the area of interest I focus in is HTTP Request Smuggling. I developed tooling to actively target some advanced HTTP Smuggling exploits and ran it on your in-scope assets. In my research I stumbled across a finding that I consider extremely critical not only for JupiterOne demo but for all customers and organizations which share their privatedata/channels/conversations on JupiterOne demo.\\n\\n### Steps to Reproduce\\n\\nThe bug chain is as follows:\\n1) HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on JupiterOne demob.com\\n2) Request Hijack forces victim HTTP requests to instead use GET https://\\u003cURL\\u003e HTTP/1.1 on JupiterOne demob.com\\n3) A request of GET https://\\u003cURL\\u003e HTTP/1.1 on the backend server socket results in a 301 redirect to https://\\u003cURL\\u003e with JupiterOne demo cookies (most importantly the d cookie)\\n4) Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined \\u003cURL\\u003e in the attack\\n5) Me (if I were evil) collects massive amounts of d session cookies and steals any/all possible JupiterOne demo user/organization data from victim sessions\\n\\n### Remediation\\n\\nTo fix this you need to use HTTP/2 for back-end connections, as this protocol prevents ambiguity about the boundaries between requests.\\nThe front-end server processes the Content-Length header and determines that the request body is 13 bytes long, up to the end of SMUGGLED. This request is forwarded on to the back-end server.\\n\\nThe back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The following bytes, SMUGGLED, are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence.\\n\\n## Impact\\n\\nSo it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly issue this attack, jump onto the victim session and steal all possible data within reach.\\nI am really happy I found this for you guys so that it can be dealt with ASAP. I really hope there haven't been any attacks on customers using this vulnerability.\\nBest Wishes,\\ncosmo\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.732Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.732Z\",\"last_activity_at\":\"2022-12-09T06:51:52.732Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770232\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:27.437Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"86\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Request Smuggling\",\"description\":\"When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to \\\"smuggle\\\" a request to one device without the other device being aware of it.\",\"external_id\":\"cwe-444\",\"created_at\":\"2017-01-26T23:29:14.332Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794557\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR - Edit Anyone's Blogs / Websites\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:25.465Z\",\"vulnerability_information\":\"Hello there,\\nI hope all is well!\\nSteps:\\nGo to https://jupiterone.com/signup and create 2 accounts.\\nLogin as victim and go to https://www.jupiterone.com/edit-user-profile\\nClick Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and search radMainSite text in page source and copy value.\\nThen login as attacker.\\nGo to https://www.jupiterone.com/edit-user-profile \\u003e click Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and click Save Settings button \\u003e open burp suite and change hidBlogID parameter with victim's hidBlogID.\\nForward the request and go to victim's account. Check your website informations. You will see it's changed.\\n\\n## Impact\\n\\nChange victim's website/blog information - leading to personal data exposure, defacing of customer content and loss of company revenue.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.734Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.734Z\",\"last_activity_at\":\"2022-12-09T06:51:52.734Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770231\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:25.592Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"55\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insecure Direct Object Reference (IDOR)\",\"description\":\"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.\",\"external_id\":\"cwe-639\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770195\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:53.879Z\",\"score\":8.3,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442260\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-06T06:49:54.599Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794532\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin system credentials leaked in public GitHub commit history\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-12-05T09:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.560Z\",\"first_program_activity_at\":\"2022-12-06T06:50:22.070Z\",\"last_program_activity_at\":\"2022-12-05T09:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:50:23.560Z\",\"last_activity_at\":\"2022-12-09T06:50:23.560Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770206\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:21.909Z\"}}},\"weakness\":{\"data\":{\"id\":\"1027\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Reflection Injection\",\"description\":\"An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.\",\"external_id\":\"capec-138\",\"created_at\":\"2022-07-06T18:33:49.925Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794529\",\"type\":\"report\",\"attributes\":{\"title\":\"Crypto - Ethereum account balance manipulation\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-05T06:49:54.883Z\",\"vulnerability_information\":\"If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed\\nSteps To Reproduce:\\nSetup a smart contract with a few valid wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)\\nTransfer appropriate funds to smart contract.\\nExecute smart contract adding the set amount of ether to the wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.\\nRepeat until you have more than enough ethereum in your wallet.\\nCash out, transfer to off site wallet\\n\\n## Impact\\n\\nBy using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.440Z\",\"first_program_activity_at\":\"2022-12-06T06:50:10.664Z\",\"last_program_activity_at\":\"2022-12-05T09:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.440Z\",\"last_activity_at\":\"2022-12-09T06:51:43.440Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770203\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:10.554Z\"}}},\"weakness\":{\"data\":{\"id\":\"1385\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Open-Source Library Manipulation\",\"description\":\"Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.\",\"external_id\":\"capec-538\",\"created_at\":\"2022-07-06T18:53:39.017Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794501\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - Read new emails from any inbox IOS APP in notification center\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:48:28.517Z\",\"vulnerability_information\":\"IDOR vulnerability in notification center API as used by jupiterone.com Mail application for iOS allowed to request notifications for arbitrary e-mail address\\n\\n## Impact\\n\\nPersonal Data Exposure, account take over and down time for your major IOS app.\",\"triaged_at\":\"2022-12-05T10:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:35.306Z\",\"first_program_activity_at\":\"2022-12-06T06:48:34.640Z\",\"last_program_activity_at\":\"2022-12-05T10:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1750\",\"last_public_activity_at\":\"2022-12-09T06:48:35.306Z\",\"last_activity_at\":\"2022-12-09T06:48:35.306Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-16T10:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-16T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-07T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":14400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770175\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:34.407Z\"}}},\"weakness\":{\"data\":{\"id\":\"1053\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Spear Phishing\",\"description\":\"An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.\",\"external_id\":\"capec-163\",\"created_at\":\"2022-07-06T18:35:18.823Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794499\",\"type\":\"report\",\"attributes\":{\"title\":\"Collaboration - Memory corruption in imap-parser.c\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-01T18:48:28.517Z\",\"vulnerability_information\":\"Hello JupiterOne demo devs, this is a report from Bishop and Cosmo. We are researchers at the University of Pennsylvania. We’ve been fuzzing JupiterOne demo and have triggered some memory errors---this one is the most serious, and can be used for controlled indirect out-of-bounds writes into heap memory.\\nSummary:\\nThe imapparser_read_string() function inside imap-parser.c sets the parser -\\u003e str_first_escape field equal to the index of the first ‘\\\\\\\\’ escape character found when parsing the input data. However, it does not check for a null byte (end of string) when scanning that data. As a result, if a ‘\\\\\\\\’ is placed _after a null byte in an input data, then the str_first_escape index may be larger than the strlen() of the actual data, which leads to out of bounds heap memory accesses (both reads and writes).\\nOn line 266 of imap-parser.c, a new string is allocated from the memory pool of the parser, and a copy of the input data is copied there using p_strndup():\\nstr = p_strndup(parser-\\u003epool, data+1, size-1);\\npstrndup() computes the _length of the original string (distance to first null byte), allocates that many bytes, and then copies that many bytes into the allocated buffer. Several lines later the program calls str_unescape() on the shorter copied string using the original offset parser -\\u003e str_first_escape:\\n(void)str_unescape(str + parser-\\u003estr_first_escape-1);\\nAs noted, we can create inputs in which str_first_escape will have a larger value than the actual length of the string, thus driving str out of bounds in the input to str_unescape(). The p_strndup() allocates its memory from the parser memory pool; with an appropriate arrangement of the pool, this could be made to allocate from a block with a higher address than the data; because the distance between the ‘\\\\\\\\’ and the null byte can be controlled by an attacker and is only constrained by the length of a line, the pointer can thus be set to a controlled value outside of the memory pool. str_unescape() performs writes, which could be used to corrupt arbitrary heap memory that is allocated after the pool, thus providing realistic footing for exploitation. Attached to this report are two screenshots from Address Sanitizer that show the state of the call stack and the detected out-of-bounds writes to heap objects.\\nReleases Affected:\\nThe affected code has not been touched since 2003 and the vulnerability may be older than that.\\nSteps To Reproduce:\\nCompile JupiterOne demo with ASAN to detect memory errors, or add the assertion “i_assert(strlen(str) \\u003e= parser-\\u003estr_first_escape);” after line 270 in imap-parser.c to detect violations of that logical invariant.\\nInsert a ‘\\\\\\\\0’ before the first ‘\\\\\\\\’ in a string that will be parsed by imap-parser.c --- example IMAP session provided below\\nRun session\\nExample session:\\na0000 AUTHENTICATE PLAIN xxxxxxxxxxxxx\\na0001 CAPABILITY\\na0002 LIST \\\"0\\\\\\\\A\\\" “”\\na0006 CLOSE\\na0007 LOGOUT\\nNote the 0 before “\\\\\\\\A” would be an actual null byte not \\\\\\\\x30.\\nFixing the vulnerability\\nThe offset of the first escape should not be set higher than the offset of the null byte. This could be achieved either by setting str_first_escape if it has not been set when the first ‘\\\\\\\\0’ is encountered, or by terminating the processing (and maybe dropping the ill-behaved client) on that first ‘\\\\\\\\0’ and leaving str_first_escape unset. Given that we are not experts on this code and the nuances of the IMAP syntax, we can’t say which is more appropriate.\\nSupporting Material/References:\\nThis report includes two screenshots of Address Sanitizer reported out-of-bounds writes.\\nImpact\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\\n\\n## Impact\\n\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\",\"triaged_at\":\"2022-12-02T04:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:34.451Z\",\"first_program_activity_at\":\"2022-12-06T06:48:32.375Z\",\"last_program_activity_at\":\"2022-12-02T04:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1723\",\"last_public_activity_at\":\"2022-12-09T06:48:34.451Z\",\"last_activity_at\":\"2022-12-09T06:48:34.451Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-13T04:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-12T18:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-05T18:48:28.517Z\",\"timer_report_triage_elapsed_time\":36000},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770173\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:32.143Z\"}}},\"weakness\":{\"data\":{\"id\":\"548\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Authentication Bypass by Alternate Name\",\"description\":\"The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.\",\"external_id\":\"cwe-289\",\"created_at\":\"2022-07-06T18:04:55.580Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794520\",\"type\":\"report\",\"attributes\":{\"title\":\"SSH server compatible with several vulnerable cryptographic algorithms\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-29T06:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-15T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-29T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:45.563Z\",\"last_program_activity_at\":\"2022-12-15T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-15T06:48:35.164Z\",\"last_activity_at\":\"2022-12-15T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794502\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-01T06:48:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770194\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:45.389Z\"}}},\"weakness\":{\"data\":{\"id\":\"314\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incorrect Register Defaults or Module Parameters\",\"description\":\"Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values.\",\"external_id\":\"cwe-1221\",\"created_at\":\"2022-07-06T17:52:26.223Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794498\",\"type\":\"report\",\"attributes\":{\"title\":\"Weak Recovery Mechanism - Reset Any Password\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-28T06:48:28.517Z\",\"vulnerability_information\":\"Summary:\\n When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user.\\nSteps To Reproduce:\\n1. Input email and send code\\n2. Input email and send code for email account you want to take over\\n3. Input known vertification code to get to the next page\\n4. Modify request on next page with email account you want to take over and brute force the unkown verification code - there is no limit to this brute force and the code is only 6 characters\\n\\n## Impact\\n\\nI can change the password on any account, leading to account takeovers, loss of private data and loss of revenue/fine for company.\",\"triaged_at\":\"2022-11-28T14:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:31.964Z\",\"first_program_activity_at\":\"2022-12-06T06:48:30.317Z\",\"last_program_activity_at\":\"2022-11-28T14:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1722\",\"last_public_activity_at\":\"2022-12-09T06:48:31.964Z\",\"last_activity_at\":\"2022-12-09T06:48:31.964Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-11-30T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":28800},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770172\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:30.092Z\"}}},\"weakness\":{\"data\":{\"id\":\"625\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Declaration of Catch for Generic Exception\",\"description\":\"Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.\",\"external_id\":\"cwe-396\",\"created_at\":\"2022-07-06T18:08:54.595Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770193\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:42.890Z\"}}},\"weakness\":{\"data\":{\"id\":\"472\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Permissive List of Allowed Inputs\",\"description\":\"The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.\",\"external_id\":\"cwe-183\",\"created_at\":\"2022-07-06T18:00:44.401Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442259\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-08T00:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770192\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:37.146Z\"}}},\"weakness\":{\"data\":{\"id\":\"1190\",\"type\":\"weakness\",\"attributes\":{\"name\":\"TCP FIN Scan\",\"description\":\"An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.\",\"external_id\":\"capec-302\",\"created_at\":\"2022-07-06T18:43:00.350Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442258\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-29T17:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794528\",\"type\":\"report\",\"attributes\":{\"title\":\"Open Source - Buffer underflow in Ruby sprintf\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-26T13:41:20.597Z\",\"vulnerability_information\":\"Find attached the crash file, the crash output and the suggestion for a fix: https://github.com/ruby/ruby/commit/0854193a684acc2b3a13ab28091a4397000c8822\\n\\n## Impact\\n\\nAttacker can cause the web application to execute arbitrary code – effectively taking over the machine on any web application using Ruby.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.339Z\",\"first_program_activity_at\":\"2022-12-06T06:50:09.119Z\",\"last_program_activity_at\":\"2022-11-26T23:41:20.597Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.339Z\",\"last_activity_at\":\"2022-12-09T06:51:43.339Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770202\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:08.995Z\"}}},\"weakness\":{\"data\":{\"id\":\"1492\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Hiding Malicious Data or Code within Files\",\"description\":\"Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.\",\"external_id\":\"capec-636\",\"created_at\":\"2022-07-06T19:02:12.998Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770191\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:32.536Z\"}}},\"weakness\":{\"data\":{\"id\":\"422\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Precision or Accuracy of a Real Number\",\"description\":\"The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.\",\"external_id\":\"cwe-1339\",\"created_at\":\"2022-07-06T17:58:07.760Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442257\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-07T10:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770190\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:30.117Z\"}}},\"weakness\":{\"data\":{\"id\":\"685\",\"type\":\"weakness\",\"attributes\":{\"name\":\"External Control of Assumed-Immutable Web Parameter\",\"description\":\"The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.\",\"external_id\":\"cwe-472\",\"created_at\":\"2022-07-06T18:12:09.751Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442256\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T04:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770189\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:26.483Z\"}}},\"weakness\":{\"data\":{\"id\":\"1153\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Fuzzing for garnering other adjacent user/sensitive data\",\"description\":\"An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.\",\"external_id\":\"capec-261\",\"created_at\":\"2022-07-06T18:40:56.542Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442255\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-03T21:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770188\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:24.058Z\"}}},\"weakness\":{\"data\":{\"id\":\"1510\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Known Windows Credentials\",\"description\":\"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input.\",\"external_id\":\"capec-653\",\"created_at\":\"2022-07-06T19:03:05.325Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442254\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-20T14:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770187\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:20.218Z\"}}},\"weakness\":{\"data\":{\"id\":\"533\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: 'dir/../../filename'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \\\"../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-27\",\"created_at\":\"2022-07-06T18:04:03.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442253\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T08:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770186\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:14.571Z\"}}},\"weakness\":{\"data\":{\"id\":\"1235\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Application API Button Hijacking\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.\",\"external_id\":\"capec-388\",\"created_at\":\"2022-07-06T18:45:23.172Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442252\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-06T01:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794527\",\"type\":\"report\",\"attributes\":{\"title\":\"RCE - Remote Code Execution on app.jupiterone.com using bulk customer update of Priority Products\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-17T20:32:46.311Z\",\"vulnerability_information\":\"Hi,\\nBackground\\napp.jupiterone.com allows the administrator to upload priority product images located at:\\nhttps://app.jupiterone.com/seller/onboarding/1\\n\\n\\nThese images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick using a specific payload then connecting app.JupiterOne demo to JupiterOne demo Messenger, and writing the right commands a reverse shell will be created to my host.\\n\\nI also verified I can access AWS metadata.\\n\\nYou should immediately make sure Postscript files cannot be uploaded here, or urgently update or remove Ghostscript from the imagemagick instance.\\nRegards,\\nFrans and Mathias\\n\\n## Impact\\n\\nAccess AWS secret keys, personal data and execute code on server.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.323Z\",\"first_program_activity_at\":\"2022-12-06T06:50:07.506Z\",\"last_program_activity_at\":\"2022-11-18T18:32:46.311Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.323Z\",\"last_activity_at\":\"2022-12-09T06:51:43.323Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770201\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:07.339Z\"}}},\"weakness\":{\"data\":{\"id\":\"921\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.\",\"external_id\":\"cwe-790\",\"created_at\":\"2022-07-06T18:27:51.923Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770185\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:12.168Z\"}}},\"weakness\":{\"data\":{\"id\":\"907\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Reference to Active File Descriptor or Handle\",\"description\":\"The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.\",\"external_id\":\"cwe-773\",\"created_at\":\"2022-07-06T18:27:09.309Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442251\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-14T18:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770184\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:05.574Z\"}}},\"weakness\":{\"data\":{\"id\":\"667\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Multiple Interpretations of UI Input\",\"description\":\"The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.\",\"external_id\":\"cwe-450\",\"created_at\":\"2022-07-06T18:11:16.745Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442250\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-10T12:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"cve_ids\":[\"CVE-2017-15277\"],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770183\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:00.436Z\"}}},\"weakness\":{\"data\":{\"id\":\"1151\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Leveraging Race Conditions\",\"description\":\"The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \\\"running the race\\\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.\",\"external_id\":\"capec-26\",\"created_at\":\"2022-07-06T18:40:51.054Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442249\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T05:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770182\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:48:54.758Z\"}}},\"weakness\":{\"data\":{\"id\":\"607\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Internal State Distinction\",\"description\":\"The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.\",\"external_id\":\"cwe-372\",\"created_at\":\"2022-07-06T18:07:58.337Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442248\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T22:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315}}}}}}]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" + "text": "{\"data\":[{\"id\":\"1795020\",\"type\":\"report\",\"attributes\":{\"title\":\"Demo report: XSS in JupiterOne demo H1B home page\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T17:18:15.515Z\",\"vulnerability_information\":\"In some ***fantasy world***, the home page of JupiterOne demo H1B is vulnerable to an *imaginary* Cross-Site Scripting attack.\\n\\n1. Visit home page of JupiterOne demo H1B\\n2. Open the browser's javascript console\\n3. Type `alert(/xss!/)` and press enter\\n4. Profit!\\n\\n## Impact\\n\\nIn our fantasy world, exploiting this vulnerability allows us to run an external script on your website that for example steals the cookies of the users that's facing the XSS and thus gaining access to the account of the victim.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T17:18:16.437Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T17:18:16.437Z\",\"last_activity_at\":\"2022-12-09T17:18:16.437Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"2522558\",\"type\":\"user\",\"attributes\":{\"username\":\"ninetreats00\",\"name\":\"Sam Andrus\",\"disabled\":false,\"created_at\":\"2022-12-06T17:18:09.499Z\",\"profile_picture\":{\"62x62\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"82x82\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"110x110\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\",\"260x260\":\"/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":null,\"website\":null,\"location\":null,\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"weakness\":{\"data\":{\"id\":\"1450\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Absolute Path Traversal\",\"description\":\"An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \\\"..\\\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.\",\"external_id\":\"capec-597\",\"created_at\":\"2022-07-06T18:59:45.367Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794559\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup SQL file lingering on https://ops.jupiterone.com/\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:51:29.205Z\",\"vulnerability_information\":\"The JupiterOne demo Ops website - `ops.jupiterone.com` has a lingering SQL backup file that is\\npublicly accessible and downloadable. The file contains a SQL database backup that contains\\nprivileged user information and secret keys.\\n# Steps to Reproduce\\n- Head over to https://ops.jupiterone.com/tmp/backup.sql\\n- Inspect the raw SQL. E.g. search for `encryption_key` or `password`.\\n# PoC\\nhttps://ops.jupiterone.com/tmp/backup.sql:\\n{F2063870}\\n\\n# Remediation\\nEnsure the file is removed from the server or protected with a proper authentication mechanism\\nthat prevents unprivileged users from accessing this sensitive information.\\n\\n## Impact\\n\\nAny customer of JupiterOne demo that has this system will be\\nimpacted by this vulnerability. An attacker could easily gain access to whatever they are\\ntrying to protect by exploiting this vulnerability.\",\"triaged_at\":\"2022-12-06T06:51:29.423Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:29.929Z\",\"first_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"last_program_activity_at\":\"2022-12-06T06:51:29.423Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:29.929Z\",\"last_activity_at\":\"2022-12-09T06:51:29.929Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"assignee\":{\"data\":{\"id\":\"4954\",\"type\":\"user\",\"attributes\":{\"username\":\"demo-member\",\"name\":\"Demo Member\",\"disabled\":false,\"created_at\":\"2014-04-14T11:45:00.949Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/004/954/ed4115e56510923be8173e96406e5d3fdeb957e1_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"signal\":null,\"impact\":null,\"reputation\":null,\"bio\":\"I'm here to help test drive, and am automatically removed at launch.\",\"website\":null,\"location\":\"testing\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770233\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:29.279Z\",\"score\":10.0,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"changed\"}}},\"weakness\":{\"data\":{\"id\":\"18\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Disclosure\",\"description\":\"An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.\",\"external_id\":\"cwe-200\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794558\",\"type\":\"report\",\"attributes\":{\"title\":\"Private Data - Mass account takeovers using HTTP Request Smuggling on qa.jupiterone.com to steal session cookies\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:27.360Z\",\"vulnerability_information\":\"Hi JupiterOne demo Security Team!\\nMy name is cosmo and I'm a first time bug hunter to your platform. I decided to take a little of my time and gently perform recon on your platform. Specifically the area of interest I focus in is HTTP Request Smuggling. I developed tooling to actively target some advanced HTTP Smuggling exploits and ran it on your in-scope assets. In my research I stumbled across a finding that I consider extremely critical not only for JupiterOne demo but for all customers and organizations which share their privatedata/channels/conversations on JupiterOne demo.\\n\\n### Steps to Reproduce\\n\\nThe bug chain is as follows:\\n1) HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on JupiterOne demob.com\\n2) Request Hijack forces victim HTTP requests to instead use GET https://\\u003cURL\\u003e HTTP/1.1 on JupiterOne demob.com\\n3) A request of GET https://\\u003cURL\\u003e HTTP/1.1 on the backend server socket results in a 301 redirect to https://\\u003cURL\\u003e with JupiterOne demo cookies (most importantly the d cookie)\\n4) Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined \\u003cURL\\u003e in the attack\\n5) Me (if I were evil) collects massive amounts of d session cookies and steals any/all possible JupiterOne demo user/organization data from victim sessions\\n\\n### Remediation\\n\\nTo fix this you need to use HTTP/2 for back-end connections, as this protocol prevents ambiguity about the boundaries between requests.\\nThe front-end server processes the Content-Length header and determines that the request body is 13 bytes long, up to the end of SMUGGLED. This request is forwarded on to the back-end server.\\n\\nThe back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The following bytes, SMUGGLED, are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence.\\n\\n## Impact\\n\\nSo it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly issue this attack, jump onto the victim session and steal all possible data within reach.\\nI am really happy I found this for you guys so that it can be dealt with ASAP. I really hope there haven't been any attacks on customers using this vulnerability.\\nBest Wishes,\\ncosmo\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.732Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.732Z\",\"last_activity_at\":\"2022-12-09T06:51:52.732Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770232\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:27.437Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"86\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Request Smuggling\",\"description\":\"When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to \\\"smuggle\\\" a request to one device without the other device being aware of it.\",\"external_id\":\"cwe-444\",\"created_at\":\"2017-01-26T23:29:14.332Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794557\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR - Edit Anyone's Blogs / Websites\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-06T06:51:25.465Z\",\"vulnerability_information\":\"Hello there,\\nI hope all is well!\\nSteps:\\nGo to https://jupiterone.com/signup and create 2 accounts.\\nLogin as victim and go to https://www.jupiterone.com/edit-user-profile\\nClick Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and search radMainSite text in page source and copy value.\\nThen login as attacker.\\nGo to https://www.jupiterone.com/edit-user-profile \\u003e click Add Blog / Website text and fill the form \\u003e click Save Settings button\\nGo to https://www.jupiterone.com/edit-user-profile, again and click Save Settings button \\u003e open burp suite and change hidBlogID parameter with victim's hidBlogID.\\nForward the request and go to victim's account. Check your website informations. You will see it's changed.\\n\\n## Impact\\n\\nChange victim's website/blog information - leading to personal data exposure, defacing of customer content and loss of company revenue.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:52.734Z\",\"first_program_activity_at\":null,\"last_program_activity_at\":null,\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:52.734Z\",\"last_activity_at\":\"2022-12-09T06:51:52.734Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770231\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:25.592Z\",\"score\":8.1,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"low\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"weakness\":{\"data\":{\"id\":\"55\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insecure Direct Object Reference (IDOR)\",\"description\":\"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.\",\"external_id\":\"cwe-639\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770195\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:53.879Z\",\"score\":8.3,\"attack_complexity\":\"low\",\"attack_vector\":\"network\",\"availability\":\"none\",\"confidentiality\":\"high\",\"integrity\":\"high\",\"privileges_required\":\"none\",\"user_interaction\":\"none\",\"scope\":\"unchanged\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442260\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-06T06:49:54.599Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794521\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS on api.playtronics.com\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-06T06:49:53.816Z\",\"vulnerability_information\":\"The `/print.json` endpoint on the Playtronics API (`api.playtronics.com`) contains a\\nreflected XSS vulnerability via the `title` parameter.\\n\\n### Steps to reproduce\\n1. Generate an API key for any user/permission on the Playtronics API\\n2. Send victim to an URL with the reflected XSS payload embedded:\\n`https://api.playtronics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e`\\n\\n### Proof of Concept\\nIt is possible to hide the reflected XSS payload inside another web page to make the\\nattack more stealthy. Here's a way to do it with an iframe:\\n\\n```\\n\\u003ciframe src=\\\"https://api.playtromnics.com/print.json?api_key=ENTER_API_KEY_HERE\\u0026title=\\u003cscript\\u003e\\n alert(/xss!/);\\n\\u003c/script\\u003e\\\" /\\u003e\\n```\\n\\n### Remediaton\\n* Ensure the HTTP responses from the API are always `Content-Type: application/json`\\n* Properly sanitize the user input for the `title` parameter in the `print.json` endpoint\\nand escape potentially dangerous characters, such as HTML tags and JavaScript\\n\\n## Impact\\n\\nAn attacker can execute arbitrary JavaScript on api.playtronics.com, potentially\\nescalating the impact by capturing the API token of the victim.\",\"triaged_at\":\"2022-12-06T06:49:54.297Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-06T06:49:54.729Z\",\"first_program_activity_at\":\"2022-12-06T06:49:54.004Z\",\"last_program_activity_at\":\"2022-12-06T06:49:54.611Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:54.611Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1444\",\"last_public_activity_at\":\"2022-12-06T06:49:54.729Z\",\"last_activity_at\":\"2022-12-06T06:49:54.729Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794532\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin system credentials leaked in public GitHub commit history\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-12-05T09:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.560Z\",\"first_program_activity_at\":\"2022-12-06T06:50:22.070Z\",\"last_program_activity_at\":\"2022-12-05T09:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:50:23.560Z\",\"last_activity_at\":\"2022-12-09T06:50:23.560Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770206\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:21.909Z\"}}},\"weakness\":{\"data\":{\"id\":\"1027\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Reflection Injection\",\"description\":\"An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.\",\"external_id\":\"capec-138\",\"created_at\":\"2022-07-06T18:33:49.925Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794529\",\"type\":\"report\",\"attributes\":{\"title\":\"Crypto - Ethereum account balance manipulation\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-12-05T06:49:54.883Z\",\"vulnerability_information\":\"If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed\\nSteps To Reproduce:\\nSetup a smart contract with a few valid wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)\\nTransfer appropriate funds to smart contract.\\nExecute smart contract adding the set amount of ether to the wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.\\nRepeat until you have more than enough ethereum in your wallet.\\nCash out, transfer to off site wallet\\n\\n## Impact\\n\\nBy using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.440Z\",\"first_program_activity_at\":\"2022-12-06T06:50:10.664Z\",\"last_program_activity_at\":\"2022-12-05T09:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.440Z\",\"last_activity_at\":\"2022-12-09T06:51:43.440Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770203\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:10.554Z\"}}},\"weakness\":{\"data\":{\"id\":\"1385\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Open-Source Library Manipulation\",\"description\":\"Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.\",\"external_id\":\"capec-538\",\"created_at\":\"2022-07-06T18:53:39.017Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794501\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - Read new emails from any inbox IOS APP in notification center\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-05T06:48:28.517Z\",\"vulnerability_information\":\"IDOR vulnerability in notification center API as used by jupiterone.com Mail application for iOS allowed to request notifications for arbitrary e-mail address\\n\\n## Impact\\n\\nPersonal Data Exposure, account take over and down time for your major IOS app.\",\"triaged_at\":\"2022-12-05T10:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:35.306Z\",\"first_program_activity_at\":\"2022-12-06T06:48:34.640Z\",\"last_program_activity_at\":\"2022-12-05T10:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1750\",\"last_public_activity_at\":\"2022-12-09T06:48:35.306Z\",\"last_activity_at\":\"2022-12-09T06:48:35.306Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-16T10:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-16T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-07T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":14400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770175\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:34.407Z\"}}},\"weakness\":{\"data\":{\"id\":\"1053\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Spear Phishing\",\"description\":\"An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.\",\"external_id\":\"capec-163\",\"created_at\":\"2022-07-06T18:35:18.823Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794499\",\"type\":\"report\",\"attributes\":{\"title\":\"Collaboration - Memory corruption in imap-parser.c\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-12-01T18:48:28.517Z\",\"vulnerability_information\":\"Hello JupiterOne demo devs, this is a report from Bishop and Cosmo. We are researchers at the University of Pennsylvania. We’ve been fuzzing JupiterOne demo and have triggered some memory errors---this one is the most serious, and can be used for controlled indirect out-of-bounds writes into heap memory.\\nSummary:\\nThe imapparser_read_string() function inside imap-parser.c sets the parser -\\u003e str_first_escape field equal to the index of the first ‘\\\\\\\\’ escape character found when parsing the input data. However, it does not check for a null byte (end of string) when scanning that data. As a result, if a ‘\\\\\\\\’ is placed _after a null byte in an input data, then the str_first_escape index may be larger than the strlen() of the actual data, which leads to out of bounds heap memory accesses (both reads and writes).\\nOn line 266 of imap-parser.c, a new string is allocated from the memory pool of the parser, and a copy of the input data is copied there using p_strndup():\\nstr = p_strndup(parser-\\u003epool, data+1, size-1);\\npstrndup() computes the _length of the original string (distance to first null byte), allocates that many bytes, and then copies that many bytes into the allocated buffer. Several lines later the program calls str_unescape() on the shorter copied string using the original offset parser -\\u003e str_first_escape:\\n(void)str_unescape(str + parser-\\u003estr_first_escape-1);\\nAs noted, we can create inputs in which str_first_escape will have a larger value than the actual length of the string, thus driving str out of bounds in the input to str_unescape(). The p_strndup() allocates its memory from the parser memory pool; with an appropriate arrangement of the pool, this could be made to allocate from a block with a higher address than the data; because the distance between the ‘\\\\\\\\’ and the null byte can be controlled by an attacker and is only constrained by the length of a line, the pointer can thus be set to a controlled value outside of the memory pool. str_unescape() performs writes, which could be used to corrupt arbitrary heap memory that is allocated after the pool, thus providing realistic footing for exploitation. Attached to this report are two screenshots from Address Sanitizer that show the state of the call stack and the detected out-of-bounds writes to heap objects.\\nReleases Affected:\\nThe affected code has not been touched since 2003 and the vulnerability may be older than that.\\nSteps To Reproduce:\\nCompile JupiterOne demo with ASAN to detect memory errors, or add the assertion “i_assert(strlen(str) \\u003e= parser-\\u003estr_first_escape);” after line 270 in imap-parser.c to detect violations of that logical invariant.\\nInsert a ‘\\\\\\\\0’ before the first ‘\\\\\\\\’ in a string that will be parsed by imap-parser.c --- example IMAP session provided below\\nRun session\\nExample session:\\na0000 AUTHENTICATE PLAIN xxxxxxxxxxxxx\\na0001 CAPABILITY\\na0002 LIST \\\"0\\\\\\\\A\\\" “”\\na0006 CLOSE\\na0007 LOGOUT\\nNote the 0 before “\\\\\\\\A” would be an actual null byte not \\\\\\\\x30.\\nFixing the vulnerability\\nThe offset of the first escape should not be set higher than the offset of the null byte. This could be achieved either by setting str_first_escape if it has not been set when the first ‘\\\\\\\\0’ is encountered, or by terminating the processing (and maybe dropping the ill-behaved client) on that first ‘\\\\\\\\0’ and leaving str_first_escape unset. Given that we are not experts on this code and the nuances of the IMAP syntax, we can’t say which is more appropriate.\\nSupporting Material/References:\\nThis report includes two screenshots of Address Sanitizer reported out-of-bounds writes.\\nImpact\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\\n\\n## Impact\\n\\nThis vulnerability allows for out-of-bounds writes to objects stored on the heap. One of the attached screenshots shows an ASAN report from a null byte write from line 76 of strescape.c; this alone can feasibly lead to arbitrary code execution, for example: https://bugs.chromium.org/p/project-zero/issues/detail?id=96\\nIn this particular case, the attacker capabilities are much greater than a single null byte overflow. Not only can the write be controlled to skip over memory and write to an offset of the attacker’s choosing, but if heap memory contains ‘\\\\\\\\’ bytes (which can be prepared by an attacker through previous IMAP session operations), then they will cause str_unescape() to perform a repeated series of writes as dictated by the logic of the function; attached is a screenshot showing out-of-bounds writes from line 73. Furthermore, this vulnerability can be triggered repeatedly within a single IMAP session, thus allowing quite sophisticated manipulation of heap memory. Once the state of memory can be corrupted this way in a complex program, arbitrary code execution should be assumed to be possible; all that remains is fitting the pieces together.\",\"triaged_at\":\"2022-12-02T04:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:34.451Z\",\"first_program_activity_at\":\"2022-12-06T06:48:32.375Z\",\"last_program_activity_at\":\"2022-12-02T04:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1723\",\"last_public_activity_at\":\"2022-12-09T06:48:34.451Z\",\"last_activity_at\":\"2022-12-09T06:48:34.451Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2023-01-13T04:48:28.517Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-12T18:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-05T18:48:28.517Z\",\"timer_report_triage_elapsed_time\":36000},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770173\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:32.143Z\"}}},\"weakness\":{\"data\":{\"id\":\"548\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Authentication Bypass by Alternate Name\",\"description\":\"The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.\",\"external_id\":\"cwe-289\",\"created_at\":\"2022-07-06T18:04:55.580Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794520\",\"type\":\"report\",\"attributes\":{\"title\":\"SSH server compatible with several vulnerable cryptographic algorithms\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-29T06:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-15T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-29T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:45.563Z\",\"last_program_activity_at\":\"2022-12-15T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-15T06:48:35.164Z\",\"last_activity_at\":\"2022-12-15T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794502\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-12-01T06:48:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770194\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:45.389Z\"}}},\"weakness\":{\"data\":{\"id\":\"314\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incorrect Register Defaults or Module Parameters\",\"description\":\"Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values.\",\"external_id\":\"cwe-1221\",\"created_at\":\"2022-07-06T17:52:26.223Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794498\",\"type\":\"report\",\"attributes\":{\"title\":\"Weak Recovery Mechanism - Reset Any Password\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-28T06:48:28.517Z\",\"vulnerability_information\":\"Summary:\\n When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user.\\nSteps To Reproduce:\\n1. Input email and send code\\n2. Input email and send code for email account you want to take over\\n3. Input known vertification code to get to the next page\\n4. Modify request on next page with email account you want to take over and brute force the unkown verification code - there is no limit to this brute force and the code is only 6 characters\\n\\n## Impact\\n\\nI can change the password on any account, leading to account takeovers, loss of private data and loss of revenue/fine for company.\",\"triaged_at\":\"2022-11-28T14:48:28.517Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:48:31.964Z\",\"first_program_activity_at\":\"2022-12-06T06:48:30.317Z\",\"last_program_activity_at\":\"2022-11-28T14:48:28.517Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1722\",\"last_public_activity_at\":\"2022-12-09T06:48:31.964Z\",\"last_activity_at\":\"2022-12-09T06:48:31.964Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T06:48:28.517Z\",\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":\"2022-11-30T06:48:28.517Z\",\"timer_report_triage_elapsed_time\":28800},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770172\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:30.092Z\"}}},\"weakness\":{\"data\":{\"id\":\"625\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Declaration of Catch for Generic Exception\",\"description\":\"Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.\",\"external_id\":\"cwe-396\",\"created_at\":\"2022-07-06T18:08:54.595Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770193\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:42.890Z\"}}},\"weakness\":{\"data\":{\"id\":\"472\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Permissive List of Allowed Inputs\",\"description\":\"The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.\",\"external_id\":\"cwe-183\",\"created_at\":\"2022-07-06T18:00:44.401Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442259\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-08T00:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794519\",\"type\":\"report\",\"attributes\":{\"title\":\"Multiple Subdomain takeovers via unclaimed instances\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-28T00:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-27T00:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-28T00:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:43.055Z\",\"last_program_activity_at\":\"2022-12-27T00:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:43.435Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-27T00:08:35.164Z\",\"last_activity_at\":\"2022-12-27T00:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591455,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1814380,\"timer_report_triage_miss_at\":\"2022-11-30T00:08:35.164Z\",\"timer_report_triage_elapsed_time\":1814380}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770192\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:37.146Z\"}}},\"weakness\":{\"data\":{\"id\":\"1190\",\"type\":\"weakness\",\"attributes\":{\"name\":\"TCP FIN Scan\",\"description\":\"An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.\",\"external_id\":\"capec-302\",\"created_at\":\"2022-07-06T18:43:00.350Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442258\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-29T17:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794518\",\"type\":\"report\",\"attributes\":{\"title\":\"Bypassing Homograph Attack Using\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-26T17:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-14T17:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-26T17:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:37.541Z\",\"last_program_activity_at\":\"2022-12-14T17:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:38.594Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-14T17:28:35.164Z\",\"last_activity_at\":\"2022-12-14T17:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2050093,\"timer_bounty_awarded_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-09T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1099704,\"timer_report_triage_miss_at\":\"2022-11-30T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1099704}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794528\",\"type\":\"report\",\"attributes\":{\"title\":\"Open Source - Buffer underflow in Ruby sprintf\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-26T13:41:20.597Z\",\"vulnerability_information\":\"Find attached the crash file, the crash output and the suggestion for a fix: https://github.com/ruby/ruby/commit/0854193a684acc2b3a13ab28091a4397000c8822\\n\\n## Impact\\n\\nAttacker can cause the web application to execute arbitrary code – effectively taking over the machine on any web application using Ruby.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.339Z\",\"first_program_activity_at\":\"2022-12-06T06:50:09.119Z\",\"last_program_activity_at\":\"2022-11-26T23:41:20.597Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.339Z\",\"last_activity_at\":\"2022-12-09T06:51:43.339Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770202\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:08.995Z\"}}},\"weakness\":{\"data\":{\"id\":\"1492\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Hiding Malicious Data or Code within Files\",\"description\":\"Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.\",\"external_id\":\"capec-636\",\"created_at\":\"2022-07-06T19:02:12.998Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770191\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:32.536Z\"}}},\"weakness\":{\"data\":{\"id\":\"422\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Precision or Accuracy of a Real Number\",\"description\":\"The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.\",\"external_id\":\"cwe-1339\",\"created_at\":\"2022-07-06T17:58:07.760Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442257\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-07T10:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794517\",\"type\":\"report\",\"attributes\":{\"title\":\"Leakage badges on disabled user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-25T10:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-25T10:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-25T10:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:32.654Z\",\"last_program_activity_at\":\"2022-12-25T10:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:32.998Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-25T10:48:35.164Z\",\"last_activity_at\":\"2022-12-25T10:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2639454,\"timer_bounty_awarded_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-06T10:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1775464,\"timer_report_triage_miss_at\":\"2022-11-29T10:48:35.164Z\",\"timer_report_triage_elapsed_time\":1775464}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770190\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:30.117Z\"}}},\"weakness\":{\"data\":{\"id\":\"685\",\"type\":\"weakness\",\"attributes\":{\"name\":\"External Control of Assumed-Immutable Web Parameter\",\"description\":\"The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.\",\"external_id\":\"cwe-472\",\"created_at\":\"2022-07-06T18:12:09.751Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442256\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T04:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794516\",\"type\":\"report\",\"attributes\":{\"title\":\"Open prod Jenkins instance\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-24T04:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T04:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-24T04:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:30.297Z\",\"last_program_activity_at\":\"2022-12-13T04:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:30.668Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T04:08:35.164Z\",\"last_activity_at\":\"2022-12-13T04:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-05T04:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1123188,\"timer_report_triage_miss_at\":\"2022-11-28T04:08:35.164Z\",\"timer_report_triage_elapsed_time\":1123188}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770189\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:26.483Z\"}}},\"weakness\":{\"data\":{\"id\":\"1153\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Fuzzing for garnering other adjacent user/sensitive data\",\"description\":\"An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.\",\"external_id\":\"capec-261\",\"created_at\":\"2022-07-06T18:40:56.542Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442255\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-03T21:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794515\",\"type\":\"report\",\"attributes\":{\"title\":\"Key Reinstallation Attacks\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-22T21:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T21:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-22T21:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:26.610Z\",\"last_program_activity_at\":\"2022-12-12T21:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:26.989Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T21:28:35.164Z\",\"last_activity_at\":\"2022-12-12T21:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-03T21:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1209587,\"timer_report_triage_miss_at\":\"2022-11-24T21:28:35.164Z\",\"timer_report_triage_elapsed_time\":1209587}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770188\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:49:24.058Z\"}}},\"weakness\":{\"data\":{\"id\":\"1510\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Known Windows Credentials\",\"description\":\"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input.\",\"external_id\":\"capec-653\",\"created_at\":\"2022-07-06T19:03:05.325Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442254\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-20T14:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794514\",\"type\":\"report\",\"attributes\":{\"title\":\"Backup Source Code Detected\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-21T14:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-02T14:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-21T14:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:24.169Z\",\"last_program_activity_at\":\"2022-12-02T14:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:24.526Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-02T14:48:35.164Z\",\"last_activity_at\":\"2022-12-02T14:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1814380,\"timer_bounty_awarded_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T14:48:35.164Z\",\"timer_report_resolved_elapsed_time\":777592,\"timer_report_triage_miss_at\":\"2022-11-23T14:48:35.164Z\",\"timer_report_triage_elapsed_time\":777592}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770187\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:49:20.218Z\"}}},\"weakness\":{\"data\":{\"id\":\"533\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: 'dir/../../filename'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \\\"../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-27\",\"created_at\":\"2022-07-06T18:04:03.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442253\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T08:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794513\",\"type\":\"report\",\"attributes\":{\"title\":\"Leaking Referrer in Reset Password Link\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-20T08:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-13T08:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-20T08:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:20.564Z\",\"last_program_activity_at\":\"2022-12-13T08:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:21.073Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-13T08:08:35.164Z\",\"last_activity_at\":\"2022-12-13T08:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2880483,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1411700,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1411700}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770186\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:14.571Z\"}}},\"weakness\":{\"data\":{\"id\":\"1235\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Application API Button Hijacking\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.\",\"external_id\":\"capec-388\",\"created_at\":\"2022-07-06T18:45:23.172Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442252\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-06T01:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794512\",\"type\":\"report\",\"attributes\":{\"title\":\"Keybase extension hostname-validation regular expression issue\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-19T01:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-10T01:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-19T01:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:14.696Z\",\"last_program_activity_at\":\"2022-12-10T01:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:16.507Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-10T01:28:35.164Z\",\"last_activity_at\":\"2022-12-10T01:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2942882,\"timer_bounty_awarded_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2023-01-02T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-23T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794527\",\"type\":\"report\",\"attributes\":{\"title\":\"RCE - Remote Code Execution on app.jupiterone.com using bulk customer update of Priority Products\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-17T20:32:46.311Z\",\"vulnerability_information\":\"Hi,\\nBackground\\napp.jupiterone.com allows the administrator to upload priority product images located at:\\nhttps://app.jupiterone.com/seller/onboarding/1\\n\\n\\nThese images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick using a specific payload then connecting app.JupiterOne demo to JupiterOne demo Messenger, and writing the right commands a reverse shell will be created to my host.\\n\\nI also verified I can access AWS metadata.\\n\\nYou should immediately make sure Postscript files cannot be uploaded here, or urgently update or remove Ghostscript from the imagemagick instance.\\nRegards,\\nFrans and Mathias\\n\\n## Impact\\n\\nAccess AWS secret keys, personal data and execute code on server.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.323Z\",\"first_program_activity_at\":\"2022-12-06T06:50:07.506Z\",\"last_program_activity_at\":\"2022-11-18T18:32:46.311Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.323Z\",\"last_activity_at\":\"2022-12-09T06:51:43.323Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770201\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:07.339Z\"}}},\"weakness\":{\"data\":{\"id\":\"921\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.\",\"external_id\":\"cwe-790\",\"created_at\":\"2022-07-06T18:27:51.923Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770185\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:12.168Z\"}}},\"weakness\":{\"data\":{\"id\":\"907\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Reference to Active File Descriptor or Handle\",\"description\":\"The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.\",\"external_id\":\"cwe-773\",\"created_at\":\"2022-07-06T18:27:09.309Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442251\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-14T18:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794511\",\"type\":\"report\",\"attributes\":{\"title\":\"Access to Private Photos of Apps in App section(IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-17T18:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-17T18:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-17T18:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:12.284Z\",\"last_program_activity_at\":\"2022-12-17T18:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:12.642Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-17T18:48:35.164Z\",\"last_activity_at\":\"2022-12-17T18:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3561043,\"timer_bounty_awarded_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-29T18:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1833063,\"timer_report_triage_miss_at\":\"2022-11-21T18:48:35.164Z\",\"timer_report_triage_elapsed_time\":1833063}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770184\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:05.574Z\"}}},\"weakness\":{\"data\":{\"id\":\"667\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Multiple Interpretations of UI Input\",\"description\":\"The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.\",\"external_id\":\"cwe-450\",\"created_at\":\"2022-07-06T18:11:16.745Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442250\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-10T12:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794510\",\"type\":\"report\",\"attributes\":{\"title\":\"Admin Panel Accessed (OAuth Bypassed )\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-16T12:08:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-12T12:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-16T12:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:05.685Z\",\"last_program_activity_at\":\"2022-12-12T12:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:10.113Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-12T12:08:35.164Z\",\"last_activity_at\":\"2022-12-12T12:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3369562,\"timer_bounty_awarded_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-28T12:08:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-18T12:08:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"cve_ids\":[\"CVE-2017-15277\"],\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770183\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:49:00.436Z\"}}},\"weakness\":{\"data\":{\"id\":\"1151\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Leveraging Race Conditions\",\"description\":\"The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \\\"running the race\\\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.\",\"external_id\":\"capec-26\",\"created_at\":\"2022-07-06T18:40:51.054Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442249\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2023-01-05T05:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794509\",\"type\":\"report\",\"attributes\":{\"title\":\"CVE-2017-15277 on Profile page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-15T05:28:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-09T05:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-15T05:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:49:00.716Z\",\"last_program_activity_at\":\"2022-12-09T05:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:49:01.645Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T05:28:35.164Z\",\"last_activity_at\":\"2022-12-09T05:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":3196764,\"timer_bounty_awarded_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-27T05:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1555183,\"timer_report_triage_miss_at\":\"2022-11-17T05:28:35.164Z\",\"timer_report_triage_elapsed_time\":1555183}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770182\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:48:54.758Z\"}}},\"weakness\":{\"data\":{\"id\":\"607\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Internal State Distinction\",\"description\":\"The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.\",\"external_id\":\"cwe-372\",\"created_at\":\"2022-07-06T18:07:58.337Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442248\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-23T22:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794508\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect via ReturnUrl parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-13T22:48:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-14T09:48:35.164Z\",\"closed_at\":\"2022-11-28T22:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-13T22:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:55.098Z\",\"last_program_activity_at\":\"2022-11-28T22:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:55.518Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-28T22:48:35.164Z\",\"last_activity_at\":\"2022-11-28T22:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2552372,\"timer_bounty_awarded_miss_at\":\"2022-12-26T09:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":946106,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":35315}}}}}}]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Mon, 19 Dec 2022 23:02:29 GMT" + "value": "Mon, 23 Jan 2023 10:02:05 GMT" }, { "name": "content-type", @@ -62,7 +505,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "vary", @@ -70,11 +513,11 @@ }, { "name": "x-request-id", - "value": "691423f4-28cf-4aeb-b321-aed21366fee0" + "value": "954b0b4e-cb48-45f0-8a28-bfce6c71082d" }, { "name": "etag", - "value": "W/\"d9004f6f4a856101801d5fb09c9f979d\"" + "value": "W/\"79366a034bf4b86620a09a6cca4985e8\"" }, { "name": "cache-control", @@ -114,7 +557,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -126,17 +569,17 @@ }, { "name": "cf-ray", - "value": "77c3c40d7ce127e4-SLC" + "value": "78dfb1061c7b0448-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-19T23:02:25.838Z", - "time": 3455, + "startedDateTime": "2023-01-23T10:02:01.893Z", + "time": 3851, "timings": { "blocked": -1, "connect": -1, @@ -144,7 +587,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 3455 + "wait": 3851 } }, { @@ -190,13 +633,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 118866, - "text": "{\"data\":[{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770181\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:51.190Z\"}}},\"weakness\":{\"data\":{\"id\":\"1572\",\"type\":\"weakness\",\"attributes\":{\"name\":\"DEPRECATED: XML Parser Attack\",\"description\":\"This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.\",\"external_id\":\"capec-99\",\"created_at\":\"2022-07-06T19:06:25.933Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442247\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-24T16:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770180\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:48.083Z\"}}},\"weakness\":{\"data\":{\"id\":\"1577\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Default Password\",\"description\":\"The product uses default passwords for potentially critical functionality.\",\"external_id\":\"cwe-1393\",\"created_at\":\"2022-12-06T06:00:45.688Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442246\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-09T09:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770179\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:45.002Z\"}}},\"weakness\":{\"data\":{\"id\":\"1491\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Alternative Execution Due to Deceptive Filenames\",\"description\":\"The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.\",\"external_id\":\"capec-635\",\"created_at\":\"2022-07-06T19:02:10.604Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442245\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-13T02:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794526\",\"type\":\"report\",\"attributes\":{\"title\":\"Kubernetes - Blind SSRF on JupiterOne demo.canary.k8s.io\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-09T03:24:12.026Z\",\"vulnerability_information\":\"A blind server-side request forgery (SSRF) was found at the endpoint http://JupiterOne demo.canary.k8s.io/api/snapshots via a JSON parameter. An attacker can force the host to make a request to arbitrary URLs.\\n\\n## Impact\\n\\nAn attacker can force the host to make a request to arbitrary URLs. Allowing us to assume host permissions and access internal infrastructure - including private data.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.296Z\",\"first_program_activity_at\":\"2022-12-06T06:50:04.277Z\",\"last_program_activity_at\":\"2022-11-09T15:24:12.026Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.296Z\",\"last_activity_at\":\"2022-12-09T06:51:43.296Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770200\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:04.155Z\"}}},\"weakness\":{\"data\":{\"id\":\"1062\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Application Fingerprinting\",\"description\":\"An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.\",\"external_id\":\"capec-170\",\"created_at\":\"2022-07-06T18:35:44.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794504\",\"type\":\"report\",\"attributes\":{\"title\":\"Corrupt RPC responses from remote daemon nodes can lead to transaction tracing\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-08T20:08:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-09T05:08:35.164Z\",\"closed_at\":\"2022-11-18T20:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-08T20:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:42.348Z\",\"last_program_activity_at\":\"2022-11-18T20:08:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-18T20:08:35.164Z\",\"last_activity_at\":\"2022-11-18T20:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-21T05:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-20T20:08:35.164Z\",\"timer_report_resolved_elapsed_time\":691193,\"timer_report_triage_miss_at\":\"2022-11-10T20:08:35.164Z\",\"timer_report_triage_elapsed_time\":32400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770178\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:42.210Z\"}}},\"weakness\":{\"data\":{\"id\":\"487\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Observable Internal Behavioral Discrepancy\",\"description\":\"The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.\",\"external_id\":\"cwe-206\",\"created_at\":\"2022-07-06T18:01:36.783Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794503\",\"type\":\"report\",\"attributes\":{\"title\":\"Unauthenticated LFI revealing log information\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-07T13:28:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-07T15:28:35.164Z\",\"closed_at\":\"2022-12-07T13:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-07T13:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:40.023Z\",\"last_program_activity_at\":\"2022-12-07T13:28:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-07T13:28:35.164Z\",\"last_activity_at\":\"2022-12-07T13:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T15:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T13:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1900779,\"timer_report_triage_miss_at\":\"2022-11-09T13:28:35.164Z\",\"timer_report_triage_elapsed_time\":7200},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770177\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:39.198Z\"}}},\"weakness\":{\"data\":{\"id\":\"1315\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Parameter Pollution (HPP)\",\"description\":\"An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.\",\"external_id\":\"capec-460\",\"created_at\":\"2022-07-06T18:50:00.662Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794556\",\"type\":\"report\",\"attributes\":{\"title\":\"Roof accessible by unauthorized personnel\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-11-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-11-09T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:23.812Z\",\"last_program_activity_at\":\"2022-11-09T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-09T06:51:18.490Z\",\"last_activity_at\":\"2022-11-09T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770230\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:23.665Z\"}}},\"weakness\":{\"data\":{\"id\":\"1505\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Adding a Space to a File Extension\",\"description\":\"An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.\",\"external_id\":\"capec-649\",\"created_at\":\"2022-07-06T19:02:52.439Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794553\",\"type\":\"report\",\"attributes\":{\"title\":\"Apache web server version disclosure\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-11-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-07T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:18.058Z\",\"last_program_activity_at\":\"2022-11-07T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-07T06:51:14.565Z\",\"last_activity_at\":\"2022-11-07T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770227\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:51:17.947Z\"}}},\"weakness\":{\"data\":{\"id\":\"89\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Exposure Through Directory Listing\",\"description\":\"A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.\",\"external_id\":\"cwe-548\",\"created_at\":\"2017-01-26T23:29:15.748Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794551\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover due to unclaimed S3 bucket\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-06T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-08T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-11-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:10.676Z\",\"last_program_activity_at\":\"2022-11-08T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-08T06:50:22.684Z\",\"last_activity_at\":\"2022-11-08T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794533\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":3},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770225\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:10.515Z\"}}},\"weakness\":{\"data\":{\"id\":\"1032\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Detect Unpublicized Web Pages\",\"description\":\"An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.\",\"external_id\":\"capec-143\",\"created_at\":\"2022-07-06T18:34:04.072Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794502\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-06T06:48:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-06T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:36.693Z\",\"last_program_activity_at\":\"2022-11-29T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T06:48:35.164Z\",\"last_activity_at\":\"2022-11-29T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1406900,\"timer_report_triage_miss_at\":\"2022-11-09T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1406900},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770176\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:48:36.520Z\"}}},\"weakness\":{\"data\":{\"id\":\"129\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Blacklist\",\"description\":\"An application uses a \\\"blacklist\\\" of prohibited values, but the blacklist is incomplete.\",\"external_id\":\"cwe-184\",\"created_at\":\"2018-05-14T20:48:53.932Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794531\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS in article description through /articles/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-04T18:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-05T10:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.555Z\",\"first_program_activity_at\":\"2022-12-06T06:50:17.690Z\",\"last_program_activity_at\":\"2022-11-05T10:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1423\",\"last_public_activity_at\":\"2022-12-09T06:50:23.555Z\",\"last_activity_at\":\"2022-12-09T06:50:23.555Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770205\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:16.967Z\"}}},\"weakness\":{\"data\":{\"id\":\"75\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Privilege Escalation\",\"description\":\"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.\",\"external_id\":\"capec-233\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794525\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - iPhone app XSS in JupiterOne demo Mail\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-31T10:15:37.740Z\",\"vulnerability_information\":\"During a recent security review we did for a big tech giant, we discovered a Cross-Site Scripting (XSS) issue related to how in-app iOS browsers handle the rendering of attachments. We did a quick check to see if a related vulnerability would be present at JupiterOne demo.\\nWe discovered the JupiterOne demo Mail feature is particularly vulnerable to this. The XSS can be used to get access to other messages in a user’s inbox and can be wormified for greater impact.\\nTo reproduce this vulnerability, you need to send the attached file - fb-mail-poc.html (F328174) - to someone’s JupiterOne demo email address. This file contains the proof of concept exploit code. When the user opens the attachment via the JupiterOne demo iPhone app (might work on other mobile devices as well), the attached HTML file containing the exploit gets executed in the same origin as https://iphone.jupiterone.com. In this particular proof of concept, the victim will see their private messages displayed. It would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\\nTo clarify further, when opening the attachment on an iPhone via the JupiterOne demo app, the current session is used to authenticate and render the attachment in the mobile in-app browser. Because of the shared session, the browser can send AJAX calls to https://iphone.jupiterone.com and retrieve content. This also bypasses the frame busting mechanism and JSON obfuscation system, as it is unnecessary to do a cross-domain attack and the retrieved for (;;); can be removed on-the-fly given that the XSS operates in the same origin.\\nBecause we're in the Bay Area now and scheduled to fly back to the Netherlands on Monday, we asked if they could potentially expedite things a bit and see if we could do a meeting at FB and discuss our findings.\\\"\\n\\n## Impact\\n\\nIt would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.308Z\",\"first_program_activity_at\":\"2022-12-06T06:50:02.748Z\",\"last_program_activity_at\":\"2022-11-01T00:15:37.740Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.308Z\",\"last_activity_at\":\"2022-12-09T06:51:43.308Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770199\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:02.620Z\"}}},\"weakness\":{\"data\":{\"id\":\"582\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '....//'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-34\",\"created_at\":\"2022-07-06T18:06:38.373Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770224\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:51:07.895Z\"}}},\"weakness\":{\"data\":{\"id\":\"140\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\",\"description\":\"The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.\",\"external_id\":\"cwe-362\",\"created_at\":\"2018-05-15T14:03:21.939Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442275\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-11-06T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794524\",\"type\":\"report\",\"attributes\":{\"title\":\"API - Using the api, one can obtain the authentication token for any user on jupiterone.com\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-22T17:07:03.454Z\",\"vulnerability_information\":\"Using this request i can get the API token for any user on jupiterone.com.\\n$ curl -s --request GET https://jupiterone.com/api/userid | jq '.authentication_token'\\n\\\"[redacted]\\\"\\n\\n## Impact\\n\\nAccess personal information and access any account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.345Z\",\"first_program_activity_at\":\"2022-12-06T06:50:01.066Z\",\"last_program_activity_at\":\"2022-10-23T00:07:03.454Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.345Z\",\"last_activity_at\":\"2022-12-09T06:51:43.345Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770198\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:00.873Z\"}}},\"weakness\":{\"data\":{\"id\":\"185\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Enforcement of Behavioral Workflow\",\"description\":\"The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.\",\"external_id\":\"cwe-841\",\"created_at\":\"2022-07-05T22:18:12.437Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770223\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:51:05.499Z\"}}},\"weakness\":{\"data\":{\"id\":\"1050\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Exploit Script-Based APIs\",\"description\":\"Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \\u003cscript\\u003e tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.\",\"external_id\":\"capec-160\",\"created_at\":\"2022-07-06T18:35:09.892Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442274\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-23T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794523\",\"type\":\"report\",\"attributes\":{\"title\":\"Authentication - User can bypass 2-factor authentication\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-13T23:58:29.169Z\",\"vulnerability_information\":\"Steps to reproduce:\\n\\n Login to your account and remove your 2FA on your account (if you already setup it)\\n Now go to https://jupiterone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.\\n BYPASS: Get the Embedded Submission URL on their policy page: i get this -\\u003e\\u003e https://jupiterone.com/0a1e1f11-257e-4b46-b949-c7151212ffbb/embedded_submissions/new\\n Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.\\n 2FA requirements successfully bypassed!'\\n\\n## Impact\\n\\nAllow any user to bypass multiple program restrictions, such as the 2FA requirement, report rate limit, and internal abuse limits.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.300Z\",\"first_program_activity_at\":\"2022-12-06T06:49:59.357Z\",\"last_program_activity_at\":\"2022-10-14T20:58:29.169Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.300Z\",\"last_activity_at\":\"2022-12-09T06:51:43.300Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770197\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:59.243Z\"}}},\"weakness\":{\"data\":{\"id\":\"1082\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Black Box Reverse Engineering\",\"description\":\"An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.\",\"external_id\":\"capec-189\",\"created_at\":\"2022-07-06T18:36:57.413Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770222\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:03.081Z\"}}},\"weakness\":{\"data\":{\"id\":\"743\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Inclusion of Sensitive Information in an Include File\",\"description\":\"If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.\",\"external_id\":\"cwe-541\",\"created_at\":\"2022-07-06T18:15:20.987Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442273\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-17T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794530\",\"type\":\"report\",\"attributes\":{\"title\":\"Amazon AWS instance metadata exposed via SSRF in /webhooks/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-10-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-10-05T13:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:12.900Z\",\"first_program_activity_at\":\"2022-12-06T06:50:12.392Z\",\"last_program_activity_at\":\"2022-10-05T13:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1422\",\"last_public_activity_at\":\"2022-12-09T06:50:12.900Z\",\"last_activity_at\":\"2022-12-09T06:50:12.900Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770204\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:12.063Z\"}}},\"weakness\":{\"data\":{\"id\":\"1227\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Using Unpublished Interfaces\",\"description\":\"An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.\",\"external_id\":\"capec-36\",\"created_at\":\"2022-07-06T18:45:01.588Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794522\",\"type\":\"report\",\"attributes\":{\"title\":\"Cloud - Subdomain Takeover on dev.jupiterone.com due to unclaimed domain pointing to AWS\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-05T06:49:54.883Z\",\"vulnerability_information\":\"This is an urgent issue and I hope you will act on it likewise.\\nYour subdomain dev.jupiterone.com is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the DNS-entry:\\nCustomizing Amazon S3 URLs with CNAMEs\\nDepending on your needs, you might not want \\\"s3.amazonaws.com\\\" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.\\nThe bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.\\nSo what happens here is actually that, since media.vine.co is pointing to S3, S3 is actually checking if there's a bucket with that name. Which in this case was not true. So I was able to claim the bucket dev.JupiterOne demo and thus, can place content on this URL.\\nYou should immediately remove the DNS-entry for dev.JupiterOne demo pointing to AWS S3.\\n\\n## Impact\\n\\nSince I have complete control over the subdomain I can do whatever I want on it. The restriction I have now is that I'm not able to serve anything on the root-URL – however – if I would have created the bucket in the correct region (West-1) in AWS, this would've worked.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.295Z\",\"first_program_activity_at\":\"2022-12-06T06:49:57.764Z\",\"last_program_activity_at\":\"2022-10-05T18:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.295Z\",\"last_activity_at\":\"2022-12-09T06:51:43.295Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770196\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:57.398Z\"}}},\"weakness\":{\"data\":{\"id\":\"679\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Return of Pointer Value Outside of Expected Range\",\"description\":\"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.\",\"external_id\":\"cwe-466\",\"created_at\":\"2022-07-06T18:11:52.499Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770221\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:01.073Z\"}}},\"weakness\":{\"data\":{\"id\":\"764\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Assignment to Variable without Use\",\"description\":\"The variable's value is assigned but never used, making it a dead store.\",\"external_id\":\"cwe-563\",\"created_at\":\"2022-07-06T18:16:26.136Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442272\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-11T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770220\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:58.474Z\"}}},\"weakness\":{\"data\":{\"id\":\"1481\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Compromising Emanations Attack\",\"description\":\"Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.\",\"external_id\":\"capec-623\",\"created_at\":\"2022-07-06T19:01:40.982Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442271\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770219\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:53.914Z\"}}},\"weakness\":{\"data\":{\"id\":\"647\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Protection of Alternate Path\",\"description\":\"The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.\",\"external_id\":\"cwe-424\",\"created_at\":\"2022-07-06T18:10:10.440Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442270\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-26T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770218\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:50.062Z\"}}},\"weakness\":{\"data\":{\"id\":\"1098\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Create Malicious Client\",\"description\":\"An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.\",\"external_id\":\"capec-202\",\"created_at\":\"2022-07-06T18:37:45.211Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442269\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770217\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:47.777Z\"}}},\"weakness\":{\"data\":{\"id\":\"131\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Neutralization of Escape, Meta, or Control Sequences\",\"description\":\"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.\",\"external_id\":\"cwe-150\",\"created_at\":\"2018-05-14T20:48:55.546Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442268\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-08T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794555\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoices publicly accessible when invoice secret nonce is known\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-08-21T18:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-08-25T18:51:18.490Z\",\"last_reporter_activity_at\":\"2022-08-21T18:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:21.812Z\",\"last_program_activity_at\":\"2022-08-25T18:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-25T18:51:18.490Z\",\"last_activity_at\":\"2022-08-25T18:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770229\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:21.700Z\"}}},\"weakness\":{\"data\":{\"id\":\"1335\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Malicious Root Certificate\",\"description\":\"An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\",\"external_id\":\"capec-479\",\"created_at\":\"2022-07-06T18:51:02.357Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\"}}" + "text": "{\"data\":[{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770181\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:48:51.190Z\"}}},\"weakness\":{\"data\":{\"id\":\"1572\",\"type\":\"weakness\",\"attributes\":{\"name\":\"DEPRECATED: XML Parser Attack\",\"description\":\"This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.\",\"external_id\":\"capec-99\",\"created_at\":\"2022-07-06T19:06:25.933Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442247\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-24T16:08:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794507\",\"type\":\"report\",\"attributes\":{\"title\":\"Changing details of other users profile using UUID (IDOR)\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-12T16:08:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-12T19:08:35.164Z\",\"closed_at\":\"2022-12-06T16:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-12T16:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:51.362Z\",\"last_program_activity_at\":\"2022-12-06T16:08:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:51.795Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-06T16:08:35.164Z\",\"last_activity_at\":\"2022-12-06T16:08:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":2591971,\"timer_bounty_awarded_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-26T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1440500,\"timer_report_triage_miss_at\":\"2022-11-16T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":0}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770180\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:48:48.083Z\"}}},\"weakness\":{\"data\":{\"id\":\"1577\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Use of Default Password\",\"description\":\"The product uses default passwords for potentially critical functionality.\",\"external_id\":\"cwe-1393\",\"created_at\":\"2022-12-06T06:00:45.688Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442246\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-09T09:28:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794506\",\"type\":\"report\",\"attributes\":{\"title\":\"Time Based SQL Injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-11T09:28:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T09:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-11T09:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:48.208Z\",\"last_program_activity_at\":\"2022-11-29T09:28:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:49.264Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T09:28:35.164Z\",\"last_activity_at\":\"2022-11-29T09:28:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1727981,\"timer_bounty_awarded_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-23T09:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1036789,\"timer_report_triage_miss_at\":\"2022-11-15T09:28:35.164Z\",\"timer_report_triage_elapsed_time\":1036789}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770179\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:48:45.002Z\"}}},\"weakness\":{\"data\":{\"id\":\"1491\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Alternative Execution Due to Deceptive Filenames\",\"description\":\"The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.\",\"external_id\":\"capec-635\",\"created_at\":\"2022-07-06T19:02:10.604Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442245\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-12-13T02:48:35.164Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794505\",\"type\":\"report\",\"attributes\":{\"title\":\"Claiming ownership of GitHub handles via forked GitHub gists.\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-10T02:48:35.164Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-12-01T02:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-10T02:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:45.114Z\",\"last_program_activity_at\":\"2022-12-01T02:48:35.164Z\",\"bounty_awarded_at\":\"2022-12-06T06:48:45.502Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-01T02:48:35.164Z\",\"last_activity_at\":\"2022-12-01T02:48:35.164Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":1987178,\"timer_bounty_awarded_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-22T02:48:35.164Z\",\"timer_report_resolved_elapsed_time\":1295986,\"timer_report_triage_miss_at\":\"2022-11-14T02:48:35.164Z\",\"timer_report_triage_elapsed_time\":1295986}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794526\",\"type\":\"report\",\"attributes\":{\"title\":\"Kubernetes - Blind SSRF on JupiterOne demo.canary.k8s.io\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-11-09T03:24:12.026Z\",\"vulnerability_information\":\"A blind server-side request forgery (SSRF) was found at the endpoint http://JupiterOne demo.canary.k8s.io/api/snapshots via a JSON parameter. An attacker can force the host to make a request to arbitrary URLs.\\n\\n## Impact\\n\\nAn attacker can force the host to make a request to arbitrary URLs. Allowing us to assume host permissions and access internal infrastructure - including private data.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.296Z\",\"first_program_activity_at\":\"2022-12-06T06:50:04.277Z\",\"last_program_activity_at\":\"2022-11-09T15:24:12.026Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.296Z\",\"last_activity_at\":\"2022-12-09T06:51:43.296Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770200\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:04.155Z\"}}},\"weakness\":{\"data\":{\"id\":\"1062\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Application Fingerprinting\",\"description\":\"An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.\",\"external_id\":\"capec-170\",\"created_at\":\"2022-07-06T18:35:44.773Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794504\",\"type\":\"report\",\"attributes\":{\"title\":\"Corrupt RPC responses from remote daemon nodes can lead to transaction tracing\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-08T20:08:35.164Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-09T05:08:35.164Z\",\"closed_at\":\"2022-11-18T20:08:35.164Z\",\"last_reporter_activity_at\":\"2022-11-08T20:08:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:42.348Z\",\"last_program_activity_at\":\"2022-11-18T20:08:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-18T20:08:35.164Z\",\"last_activity_at\":\"2022-11-18T20:08:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-21T05:08:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-20T20:08:35.164Z\",\"timer_report_resolved_elapsed_time\":691193,\"timer_report_triage_miss_at\":\"2022-11-10T20:08:35.164Z\",\"timer_report_triage_elapsed_time\":32400},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770178\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:42.210Z\"}}},\"weakness\":{\"data\":{\"id\":\"487\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Observable Internal Behavioral Discrepancy\",\"description\":\"The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.\",\"external_id\":\"cwe-206\",\"created_at\":\"2022-07-06T18:01:36.783Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794503\",\"type\":\"report\",\"attributes\":{\"title\":\"Unauthenticated LFI revealing log information\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-07T13:28:35.164Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-07T15:28:35.164Z\",\"closed_at\":\"2022-12-07T13:28:35.164Z\",\"last_reporter_activity_at\":\"2022-11-07T13:28:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:40.023Z\",\"last_program_activity_at\":\"2022-12-07T13:28:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-07T13:28:35.164Z\",\"last_activity_at\":\"2022-12-07T13:28:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T15:28:35.164Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T13:28:35.164Z\",\"timer_report_resolved_elapsed_time\":1900779,\"timer_report_triage_miss_at\":\"2022-11-09T13:28:35.164Z\",\"timer_report_triage_elapsed_time\":7200},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770177\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:48:39.198Z\"}}},\"weakness\":{\"data\":{\"id\":\"1315\",\"type\":\"weakness\",\"attributes\":{\"name\":\"HTTP Parameter Pollution (HPP)\",\"description\":\"An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.\",\"external_id\":\"capec-460\",\"created_at\":\"2022-07-06T18:50:00.662Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794556\",\"type\":\"report\",\"attributes\":{\"title\":\"Roof accessible by unauthorized personnel\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-11-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-11-09T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:23.812Z\",\"last_program_activity_at\":\"2022-11-09T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-09T06:51:18.490Z\",\"last_activity_at\":\"2022-11-09T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770230\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:23.665Z\"}}},\"weakness\":{\"data\":{\"id\":\"1505\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Adding a Space to a File Extension\",\"description\":\"An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.\",\"external_id\":\"capec-649\",\"created_at\":\"2022-07-06T19:02:52.439Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794553\",\"type\":\"report\",\"attributes\":{\"title\":\"Apache web server version disclosure\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-11-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-07T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-11-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:18.058Z\",\"last_program_activity_at\":\"2022-11-07T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-07T06:51:14.565Z\",\"last_activity_at\":\"2022-11-07T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770227\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:51:17.947Z\"}}},\"weakness\":{\"data\":{\"id\":\"89\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Information Exposure Through Directory Listing\",\"description\":\"A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.\",\"external_id\":\"cwe-548\",\"created_at\":\"2017-01-26T23:29:15.748Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794551\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover due to unclaimed S3 bucket\",\"main_state\":\"closed\",\"state\":\"duplicate\",\"created_at\":\"2022-11-06T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-08T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-11-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:10.676Z\",\"last_program_activity_at\":\"2022-11-08T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-08T06:50:22.684Z\",\"last_activity_at\":\"2022-11-08T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"original_report_id\":\"1794533\",\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":3},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770225\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:10.515Z\"}}},\"weakness\":{\"data\":{\"id\":\"1032\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Detect Unpublicized Web Pages\",\"description\":\"An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.\",\"external_id\":\"capec-143\",\"created_at\":\"2022-07-06T18:34:04.072Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794502\",\"type\":\"report\",\"attributes\":{\"title\":\"Subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-11-06T06:48:35.164Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-29T06:48:35.164Z\",\"last_reporter_activity_at\":\"2022-11-06T06:48:35.164Z\",\"first_program_activity_at\":\"2022-12-06T06:48:36.693Z\",\"last_program_activity_at\":\"2022-11-29T06:48:35.164Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-29T06:48:35.164Z\",\"last_activity_at\":\"2022-11-29T06:48:35.164Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":null,\"timer_report_resolved_miss_at\":\"2022-12-19T00:00:00.000Z\",\"timer_report_resolved_elapsed_time\":1406900,\"timer_report_triage_miss_at\":\"2022-11-09T00:00:00.000Z\",\"timer_report_triage_elapsed_time\":1406900},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770176\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:48:36.520Z\"}}},\"weakness\":{\"data\":{\"id\":\"129\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Blacklist\",\"description\":\"An application uses a \\\"blacklist\\\" of prohibited values, but the blacklist is incomplete.\",\"external_id\":\"cwe-184\",\"created_at\":\"2018-05-14T20:48:53.932Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794531\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS in article description through /articles/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-11-04T18:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-11-05T10:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:23.555Z\",\"first_program_activity_at\":\"2022-12-06T06:50:17.690Z\",\"last_program_activity_at\":\"2022-11-05T10:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1423\",\"last_public_activity_at\":\"2022-12-09T06:50:23.555Z\",\"last_activity_at\":\"2022-12-09T06:50:23.555Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770205\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:16.967Z\"}}},\"weakness\":{\"data\":{\"id\":\"75\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Privilege Escalation\",\"description\":\"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.\",\"external_id\":\"capec-233\",\"created_at\":\"2017-01-05T01:51:19.000Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794525\",\"type\":\"report\",\"attributes\":{\"title\":\"Mobile - iPhone app XSS in JupiterOne demo Mail\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-31T10:15:37.740Z\",\"vulnerability_information\":\"During a recent security review we did for a big tech giant, we discovered a Cross-Site Scripting (XSS) issue related to how in-app iOS browsers handle the rendering of attachments. We did a quick check to see if a related vulnerability would be present at JupiterOne demo.\\nWe discovered the JupiterOne demo Mail feature is particularly vulnerable to this. The XSS can be used to get access to other messages in a user’s inbox and can be wormified for greater impact.\\nTo reproduce this vulnerability, you need to send the attached file - fb-mail-poc.html (F328174) - to someone’s JupiterOne demo email address. This file contains the proof of concept exploit code. When the user opens the attachment via the JupiterOne demo iPhone app (might work on other mobile devices as well), the attached HTML file containing the exploit gets executed in the same origin as https://iphone.jupiterone.com. In this particular proof of concept, the victim will see their private messages displayed. It would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\\nTo clarify further, when opening the attachment on an iPhone via the JupiterOne demo app, the current session is used to authenticate and render the attachment in the mobile in-app browser. Because of the shared session, the browser can send AJAX calls to https://iphone.jupiterone.com and retrieve content. This also bypasses the frame busting mechanism and JSON obfuscation system, as it is unnecessary to do a cross-domain attack and the retrieved for (;;); can be removed on-the-fly given that the XSS operates in the same origin.\\nBecause we're in the Bay Area now and scheduled to fly back to the Netherlands on Monday, we asked if they could potentially expedite things a bit and see if we could do a meeting at FB and discuss our findings.\\\"\\n\\n## Impact\\n\\nIt would be trivial to expand the PoC to send this data to an external server, or access other private information such as the victim’s photos.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.308Z\",\"first_program_activity_at\":\"2022-12-06T06:50:02.748Z\",\"last_program_activity_at\":\"2022-11-01T00:15:37.740Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.308Z\",\"last_activity_at\":\"2022-12-09T06:51:43.308Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770199\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:02.620Z\"}}},\"weakness\":{\"data\":{\"id\":\"582\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '....//'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-34\",\"created_at\":\"2022-07-06T18:06:38.373Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770224\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:51:07.895Z\"}}},\"weakness\":{\"data\":{\"id\":\"140\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\",\"description\":\"The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.\",\"external_id\":\"cwe-362\",\"created_at\":\"2018-05-15T14:03:21.939Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442275\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-11-06T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794550\",\"type\":\"report\",\"attributes\":{\"title\":\"Access partial location information of other users through IDOR\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-28T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-11-02T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-28T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:08.011Z\",\"last_program_activity_at\":\"2022-11-02T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:08.430Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-11-02T18:50:22.684Z\",\"last_activity_at\":\"2022-11-02T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794524\",\"type\":\"report\",\"attributes\":{\"title\":\"API - Using the api, one can obtain the authentication token for any user on jupiterone.com\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-22T17:07:03.454Z\",\"vulnerability_information\":\"Using this request i can get the API token for any user on jupiterone.com.\\n$ curl -s --request GET https://jupiterone.com/api/userid | jq '.authentication_token'\\n\\\"[redacted]\\\"\\n\\n## Impact\\n\\nAccess personal information and access any account.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.345Z\",\"first_program_activity_at\":\"2022-12-06T06:50:01.066Z\",\"last_program_activity_at\":\"2022-10-23T00:07:03.454Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.345Z\",\"last_activity_at\":\"2022-12-09T06:51:43.345Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770198\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:00.873Z\"}}},\"weakness\":{\"data\":{\"id\":\"185\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Enforcement of Behavioral Workflow\",\"description\":\"The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.\",\"external_id\":\"cwe-841\",\"created_at\":\"2022-07-05T22:18:12.437Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770223\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:51:05.499Z\"}}},\"weakness\":{\"data\":{\"id\":\"1050\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Exploit Script-Based APIs\",\"description\":\"Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \\u003cscript\\u003e tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.\",\"external_id\":\"capec-160\",\"created_at\":\"2022-07-06T18:35:09.892Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442274\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-23T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794549\",\"type\":\"report\",\"attributes\":{\"title\":\"Open redirect can offload OAuth tokens to 3rd party domain\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-20T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-22T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-20T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:05.613Z\",\"last_program_activity_at\":\"2022-10-22T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:06.039Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-22T06:50:22.684Z\",\"last_activity_at\":\"2022-10-22T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794523\",\"type\":\"report\",\"attributes\":{\"title\":\"Authentication - User can bypass 2-factor authentication\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-13T23:58:29.169Z\",\"vulnerability_information\":\"Steps to reproduce:\\n\\n Login to your account and remove your 2FA on your account (if you already setup it)\\n Now go to https://jupiterone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.\\n BYPASS: Get the Embedded Submission URL on their policy page: i get this -\\u003e\\u003e https://jupiterone.com/0a1e1f11-257e-4b46-b949-c7151212ffbb/embedded_submissions/new\\n Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.\\n 2FA requirements successfully bypassed!'\\n\\n## Impact\\n\\nAllow any user to bypass multiple program restrictions, such as the 2FA requirement, report rate limit, and internal abuse limits.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.300Z\",\"first_program_activity_at\":\"2022-12-06T06:49:59.357Z\",\"last_program_activity_at\":\"2022-10-14T20:58:29.169Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.300Z\",\"last_activity_at\":\"2022-12-09T06:51:43.300Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770197\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:49:59.243Z\"}}},\"weakness\":{\"data\":{\"id\":\"1082\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Black Box Reverse Engineering\",\"description\":\"An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.\",\"external_id\":\"capec-189\",\"created_at\":\"2022-07-06T18:36:57.413Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770222\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:03.081Z\"}}},\"weakness\":{\"data\":{\"id\":\"743\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Inclusion of Sensitive Information in an Include File\",\"description\":\"If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.\",\"external_id\":\"cwe-541\",\"created_at\":\"2022-07-06T18:15:20.987Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442273\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"400.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"400.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-17T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794548\",\"type\":\"report\",\"attributes\":{\"title\":\"IDOR vulnerability exposes all users' email addresses\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-11T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-14T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-11T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:03.195Z\",\"last_program_activity_at\":\"2022-10-14T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:03.585Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-14T18:50:22.684Z\",\"last_activity_at\":\"2022-10-14T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794530\",\"type\":\"report\",\"attributes\":{\"title\":\"Amazon AWS instance metadata exposed via SSRF in /webhooks/new\",\"main_state\":\"open\",\"state\":\"triaged\",\"created_at\":\"2022-10-05T06:50:10.808Z\",\"vulnerability_information\":\"This is awesome.\\n\\nAnd we can write multiple stuff here.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-10-05T13:50:10.808Z\",\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:50:12.900Z\",\"first_program_activity_at\":\"2022-12-06T06:50:12.392Z\",\"last_program_activity_at\":\"2022-10-05T13:50:10.808Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"issue_tracker_reference_id\":\"T1422\",\"last_public_activity_at\":\"2022-12-09T06:50:12.900Z\",\"last_activity_at\":\"2022-12-09T06:50:12.900Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770204\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:12.063Z\"}}},\"weakness\":{\"data\":{\"id\":\"1227\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Using Unpublished Interfaces\",\"description\":\"An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.\",\"external_id\":\"capec-36\",\"created_at\":\"2022-07-06T18:45:01.588Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794522\",\"type\":\"report\",\"attributes\":{\"title\":\"Cloud - Subdomain Takeover on dev.jupiterone.com due to unclaimed domain pointing to AWS\",\"main_state\":\"open\",\"state\":\"new\",\"created_at\":\"2022-10-05T06:49:54.883Z\",\"vulnerability_information\":\"This is an urgent issue and I hope you will act on it likewise.\\nYour subdomain dev.jupiterone.com is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the DNS-entry:\\nCustomizing Amazon S3 URLs with CNAMEs\\nDepending on your needs, you might not want \\\"s3.amazonaws.com\\\" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.\\nThe bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.\\nSo what happens here is actually that, since media.vine.co is pointing to S3, S3 is actually checking if there's a bucket with that name. Which in this case was not true. So I was able to claim the bucket dev.JupiterOne demo and thus, can place content on this URL.\\nYou should immediately remove the DNS-entry for dev.JupiterOne demo pointing to AWS S3.\\n\\n## Impact\\n\\nSince I have complete control over the subdomain I can do whatever I want on it. The restriction I have now is that I'm not able to serve anything on the root-URL – however – if I would have created the bucket in the correct region (West-1) in AWS, this would've worked.\",\"triaged_at\":null,\"closed_at\":null,\"last_reporter_activity_at\":\"2022-12-09T06:51:43.295Z\",\"first_program_activity_at\":\"2022-12-06T06:49:57.764Z\",\"last_program_activity_at\":\"2022-10-05T18:49:54.883Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-12-09T06:51:43.295Z\",\"last_activity_at\":\"2022-12-09T06:51:43.295Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770196\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:49:57.398Z\"}}},\"weakness\":{\"data\":{\"id\":\"679\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Return of Pointer Value Outside of Expected Range\",\"description\":\"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.\",\"external_id\":\"cwe-466\",\"created_at\":\"2022-07-06T18:11:52.499Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770221\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:01.073Z\"}}},\"weakness\":{\"data\":{\"id\":\"764\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Assignment to Variable without Use\",\"description\":\"The variable's value is assigned but never used, making it a dead store.\",\"external_id\":\"cwe-563\",\"created_at\":\"2022-07-06T18:16:26.136Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442272\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-11T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794547\",\"type\":\"report\",\"attributes\":{\"title\":\"Time-based blind SQL injection in user_id parameter on /groups page\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-10-03T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-10-06T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-10-03T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:51:01.187Z\",\"last_program_activity_at\":\"2022-10-06T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:51:01.536Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-10-06T06:50:22.684Z\",\"last_activity_at\":\"2022-10-06T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770220\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:58.474Z\"}}},\"weakness\":{\"data\":{\"id\":\"1481\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Compromising Emanations Attack\",\"description\":\"Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.\",\"external_id\":\"capec-623\",\"created_at\":\"2022-07-06T19:01:40.982Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442271\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-10-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794546\",\"type\":\"report\",\"attributes\":{\"title\":\"Ruby on Rails Gemfile contains uncontrolled Github gem repository\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-24T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-30T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-24T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:58.632Z\",\"last_program_activity_at\":\"2022-09-30T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:59.095Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-30T18:50:22.684Z\",\"last_activity_at\":\"2022-09-30T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770219\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:53.914Z\"}}},\"weakness\":{\"data\":{\"id\":\"647\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Protection of Alternate Path\",\"description\":\"The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.\",\"external_id\":\"cwe-424\",\"created_at\":\"2022-07-06T18:10:10.440Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442270\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-26T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794545\",\"type\":\"report\",\"attributes\":{\"title\":\"CSRF vulnerability enables attacker to link Xero instance to current user\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-16T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-19T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-16T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:54.329Z\",\"last_program_activity_at\":\"2022-09-19T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:55.069Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-19T06:50:22.684Z\",\"last_activity_at\":\"2022-09-19T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770218\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:50.062Z\"}}},\"weakness\":{\"data\":{\"id\":\"1098\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Create Malicious Client\",\"description\":\"An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.\",\"external_id\":\"capec-202\",\"created_at\":\"2022-07-06T18:37:45.211Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442269\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794544\",\"type\":\"report\",\"attributes\":{\"title\":\"Deleted users can access confidential information through Algolia indexes\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-09-07T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-11T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-09-07T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:50.172Z\",\"last_program_activity_at\":\"2022-09-11T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:50.544Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-11T18:50:22.684Z\",\"last_activity_at\":\"2022-09-11T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770217\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:47.777Z\"}}},\"weakness\":{\"data\":{\"id\":\"131\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Neutralization of Escape, Meta, or Control Sequences\",\"description\":\"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.\",\"external_id\":\"cwe-150\",\"created_at\":\"2018-05-14T20:48:55.546Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442268\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"800.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"800.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-09-08T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794543\",\"type\":\"report\",\"attributes\":{\"title\":\"Bearer token used in web app do not expire after password change\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-30T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-09-01T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-30T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:47.935Z\",\"last_program_activity_at\":\"2022-09-01T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:48.324Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-09-01T06:50:22.684Z\",\"last_activity_at\":\"2022-09-01T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794555\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoices publicly accessible when invoice secret nonce is known\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-08-21T18:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-08-25T18:51:18.490Z\",\"last_reporter_activity_at\":\"2022-08-21T18:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:21.812Z\",\"last_program_activity_at\":\"2022-08-25T18:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-25T18:51:18.490Z\",\"last_activity_at\":\"2022-08-25T18:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770229\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:51:21.700Z\"}}},\"weakness\":{\"data\":{\"id\":\"1335\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Malicious Root Certificate\",\"description\":\"An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\",\"external_id\":\"capec-479\",\"created_at\":\"2022-07-06T18:51:02.357Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"next\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\"}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Mon, 19 Dec 2022 23:02:30 GMT" + "value": "Mon, 23 Jan 2023 10:02:10 GMT" }, { "name": "content-type", @@ -208,7 +651,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "vary", @@ -216,11 +659,11 @@ }, { "name": "x-request-id", - "value": "bb4762af-dd4c-481e-aff8-44c3da1b4456" + "value": "5072cde4-cba8-437a-b9ac-f3d583a9330e" }, { "name": "etag", - "value": "W/\"9e0a605fec39254453ffebff76ad1c41\"" + "value": "W/\"91aa40283a5f99ef4f007b1cb6cf4d43\"" }, { "name": "cache-control", @@ -260,7 +703,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -272,17 +715,17 @@ }, { "name": "cf-ray", - "value": "77c3c4229f8a27dc-SLC" + "value": "78dfb11c3cc50448-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-19T23:02:29.302Z", - "time": 1546, + "startedDateTime": "2023-01-23T10:02:05.755Z", + "time": 4602, "timings": { "blocked": -1, "connect": -1, @@ -290,7 +733,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 1546 + "wait": 4602 } }, { @@ -336,13 +779,13 @@ "content": { "mimeType": "application/json; charset=utf-8", "size": 57546, - "text": "{\"data\":[{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770216\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:45.240Z\"}}},\"weakness\":{\"data\":{\"id\":\"368\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Sequence of Processor Instructions Leads to Unexpected Behavior\",\"description\":\"Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.\",\"external_id\":\"cwe-1281\",\"created_at\":\"2022-07-06T17:55:18.024Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442267\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-26T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770215\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:42.756Z\"}}},\"weakness\":{\"data\":{\"id\":\"524\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '/../filedir'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \\\"/../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-25\",\"created_at\":\"2022-07-06T18:03:34.165Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442266\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-18T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770214\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:40.229Z\"}}},\"weakness\":{\"data\":{\"id\":\"987\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Altered Installed BIOS\",\"description\":\"An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.\",\"external_id\":\"capec-532\",\"created_at\":\"2022-07-06T18:31:30.687Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442265\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770213\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:50:37.857Z\"}}},\"weakness\":{\"data\":{\"id\":\"333\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Finite State Machines (FSMs) in Hardware Logic\",\"description\":\"Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.\",\"external_id\":\"cwe-1245\",\"created_at\":\"2022-07-06T17:53:28.520Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442264\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-07T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770212\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:35.494Z\"}}},\"weakness\":{\"data\":{\"id\":\"1236\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Content Spoofing Via Application API Manipulation\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.\",\"external_id\":\"capec-389\",\"created_at\":\"2022-07-06T18:45:26.096Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442263\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-24T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770211\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:32.788Z\"}}},\"weakness\":{\"data\":{\"id\":\"400\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Security Checks in Fabric Bridge\",\"description\":\"A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge.\",\"external_id\":\"cwe-1317\",\"created_at\":\"2022-07-06T17:57:00.415Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442262\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-22T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770210\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:30.368Z\"}}},\"weakness\":{\"data\":{\"id\":\"269\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Encapsulation of Machine-Dependent Functionality\",\"description\":\"The product or code uses machine-dependent functionality, but\\n\\t\\t\\t\\t\\tit does not sufficiently encapsulate or isolate this functionality from\\n\\t\\t\\t\\t\\tthe rest of the code.\",\"external_id\":\"cwe-1105\",\"created_at\":\"2022-07-06T17:50:03.202Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442261\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794535\",\"type\":\"report\",\"attributes\":{\"title\":\"Administration backend vulnerable for blind XSS vulnerability\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-23T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-23T17:50:22.684Z\",\"closed_at\":\"2022-06-26T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-23T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:28.342Z\",\"last_program_activity_at\":\"2022-06-26T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-26T06:50:22.684Z\",\"last_activity_at\":\"2022-06-26T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770209\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:28.205Z\"}}},\"weakness\":{\"data\":{\"id\":\"618\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Symbolic Name not Mapping to Correct Object\",\"description\":\"A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.\",\"external_id\":\"cwe-386\",\"created_at\":\"2022-07-06T18:08:33.220Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794534\",\"type\":\"report\",\"attributes\":{\"title\":\"Reading local files through template parameter in article designer\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-14T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-15T14:50:22.684Z\",\"closed_at\":\"2022-06-18T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-14T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:26.156Z\",\"last_program_activity_at\":\"2022-06-18T18:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-18T18:50:22.684Z\",\"last_activity_at\":\"2022-06-18T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770208\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:26.015Z\"}}},\"weakness\":{\"data\":{\"id\":\"1316\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Services API Signature Forgery Leveraging Hash Function Extension Weakness\",\"description\":\"When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash (as described in the notes). Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\",\"external_id\":\"capec-461\",\"created_at\":\"2022-07-06T18:50:04.065Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794554\",\"type\":\"report\",\"attributes\":{\"title\":\"Previously used email address does not receive update confirmation\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-06-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:19.957Z\",\"last_program_activity_at\":\"2022-06-07T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:51:18.490Z\",\"last_activity_at\":\"2022-06-07T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770228\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:19.847Z\"}}},\"weakness\":{\"data\":{\"id\":\"922\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.\",\"external_id\":\"cwe-791\",\"created_at\":\"2022-07-06T18:27:54.523Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794552\",\"type\":\"report\",\"attributes\":{\"title\":\"CKEditor example directory publicly accessible\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-06-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-09T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:16.276Z\",\"last_program_activity_at\":\"2022-06-09T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-09T06:51:14.565Z\",\"last_activity_at\":\"2022-06-09T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770226\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:16.164Z\"}}},\"weakness\":{\"data\":{\"id\":\"583\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Generation of Predictable Numbers or Identifiers\",\"description\":\"The product uses a scheme that generates numbers or identifiers that are more predictable than required.\",\"external_id\":\"cwe-340\",\"created_at\":\"2022-07-06T18:06:46.326Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794533\",\"type\":\"report\",\"attributes\":{\"title\":\"Unclaimed Amazon S3 bucket leads to marketing subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-06T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:24.019Z\",\"last_program_activity_at\":\"2022-06-07T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:50:22.684Z\",\"last_activity_at\":\"2022-06-07T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2022-12-06T06:49:10.570Z\"}}},\"severity\":{\"data\":{\"id\":\"1770207\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:23.866Z\"}}},\"weakness\":{\"data\":{\"id\":\"102\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Client-Side Enforcement of Server-Side Security\",\"description\":\"The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.\",\"external_id\":\"cwe-602\",\"created_at\":\"2017-03-10T18:53:51.436Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" + "text": "{\"data\":[{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770216\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:45.240Z\"}}},\"weakness\":{\"data\":{\"id\":\"368\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Sequence of Processor Instructions Leads to Unexpected Behavior\",\"description\":\"Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.\",\"external_id\":\"cwe-1281\",\"created_at\":\"2022-07-06T17:55:18.024Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[{\"id\":\"442267\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1250.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1250.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-26T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794542\",\"type\":\"report\",\"attributes\":{\"title\":\"Invoice PDF generator vulnerable to template injection\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-21T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-23T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-21T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:45.354Z\",\"last_program_activity_at\":\"2022-08-23T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:45.712Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-23T18:50:22.684Z\",\"last_activity_at\":\"2022-08-23T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770215\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:42.756Z\"}}},\"weakness\":{\"data\":{\"id\":\"524\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Path Traversal: '/../filedir'\",\"description\":\"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \\\"/../\\\" sequences that can resolve to a location that is outside of that directory.\",\"external_id\":\"cwe-25\",\"created_at\":\"2022-07-06T18:03:34.165Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274631\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"The primary JupiterOne demo site where you can manage your account, learn about products \\u0026 services, get support, etc.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.412Z\",\"updated_at\":\"2022-12-06T06:48:25.412Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442266\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"1500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"1500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-18T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794541\",\"type\":\"report\",\"attributes\":{\"title\":\"Public readable Amazon S3 exposes old data backups\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-13T06:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-16T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-13T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:42.866Z\",\"last_program_activity_at\":\"2022-08-16T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:43.221Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-16T06:50:22.684Z\",\"last_activity_at\":\"2022-08-16T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770214\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:40.229Z\"}}},\"weakness\":{\"data\":{\"id\":\"987\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Altered Installed BIOS\",\"description\":\"An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.\",\"external_id\":\"capec-532\",\"created_at\":\"2022-07-06T18:31:30.687Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274637\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"OTHER\",\"asset_identifier\":\"Other assets\",\"eligible_for_bounty\":false,\"eligible_for_submission\":true,\"instruction\":\"If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.842Z\",\"updated_at\":\"2022-12-06T06:48:25.842Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442265\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-13T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794540\",\"type\":\"report\",\"attributes\":{\"title\":\"User API tokens not revoked after user removed from group\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-08-04T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-08-09T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-08-04T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:40.347Z\",\"last_program_activity_at\":\"2022-08-09T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:40.713Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-09T18:50:22.684Z\",\"last_activity_at\":\"2022-08-09T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"3683\",\"type\":\"user\",\"attributes\":{\"reputation\":100,\"username\":\"demo-hacker\",\"name\":\"Demo Hacker\",\"disabled\":false,\"created_at\":\"2014-03-17T20:14:25.383Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/003/683/34dc17c69760632eba8908c6bc708eb7a20edee3_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"support@hackerone.com\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770213\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":3683,\"created_at\":\"2022-12-06T06:50:37.857Z\"}}},\"weakness\":{\"data\":{\"id\":\"333\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Improper Finite State Machines (FSMs) in Hardware Logic\",\"description\":\"Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.\",\"external_id\":\"cwe-1245\",\"created_at\":\"2022-07-06T17:53:28.520Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442264\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"750.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"750.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-08-07T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794539\",\"type\":\"report\",\"attributes\":{\"title\":\"Low entropy nonce and lack of rate limiting exposes sent offers\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-27T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-28T00:50:22.684Z\",\"closed_at\":\"2022-08-02T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-27T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:38.005Z\",\"last_program_activity_at\":\"2022-08-02T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:38.419Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-08-02T06:50:22.684Z\",\"last_activity_at\":\"2022-08-02T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8056723,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162942\",\"type\":\"user\",\"attributes\":{\"username\":\"bishop\",\"name\":\"Bishop\",\"disabled\":false,\"created_at\":\"2017-04-26T20:10:29.470Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/942/c63e611e32b94012ea8d818536cced98835000bf_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770212\",\"type\":\"severity\",\"attributes\":{\"rating\":\"critical\",\"author_type\":\"User\",\"user_id\":162942,\"created_at\":\"2022-12-06T06:50:35.494Z\"}}},\"weakness\":{\"data\":{\"id\":\"1236\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Content Spoofing Via Application API Manipulation\",\"description\":\"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.\",\"external_id\":\"capec-389\",\"created_at\":\"2022-07-06T18:45:26.096Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442263\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"2000.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"2000.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-24T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794538\",\"type\":\"report\",\"attributes\":{\"title\":\"Overly verbose object serialization leaks all users' password reset tokens\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-18T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-07-19T02:50:22.684Z\",\"closed_at\":\"2022-07-19T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-18T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:35.631Z\",\"last_program_activity_at\":\"2022-07-19T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:36.019Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-19T18:50:22.684Z\",\"last_activity_at\":\"2022-07-19T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":8654314,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770211\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:50:32.788Z\"}}},\"weakness\":{\"data\":{\"id\":\"400\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Missing Security Checks in Fabric Bridge\",\"description\":\"A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge.\",\"external_id\":\"cwe-1317\",\"created_at\":\"2022-07-06T17:57:00.415Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442262\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"500.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"500.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-22T06:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794537\",\"type\":\"report\",\"attributes\":{\"title\":\"Stored XSS vulnerability in user profile biography\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-10T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-17T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-10T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:32.995Z\",\"last_program_activity_at\":\"2022-07-17T06:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:33.391Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-17T06:50:22.684Z\",\"last_activity_at\":\"2022-07-17T06:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162755\",\"type\":\"user\",\"attributes\":{\"username\":\"cosmo\",\"name\":\"Cosmo\",\"disabled\":false,\"created_at\":\"2017-04-26T05:10:30.878Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/755/157352d30bcc970429f50231dee5838e6865cb18_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanRoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--5acc52bbb18a5af65f4968a544b567f73ed7ff4f/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/kingsley.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770210\",\"type\":\"severity\",\"attributes\":{\"rating\":\"low\",\"author_type\":\"User\",\"user_id\":162755,\"created_at\":\"2022-12-06T06:50:30.368Z\"}}},\"weakness\":{\"data\":{\"id\":\"269\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Insufficient Encapsulation of Machine-Dependent Functionality\",\"description\":\"The product or code uses machine-dependent functionality, but\\n\\t\\t\\t\\t\\tit does not sufficiently encapsulate or isolate this functionality from\\n\\t\\t\\t\\t\\tthe rest of the code.\",\"external_id\":\"cwe-1105\",\"created_at\":\"2022-07-06T17:50:03.202Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[{\"id\":\"442261\",\"type\":\"bounty\",\"attributes\":{\"amount\":\"100.00\",\"bonus_amount\":\"0.00\",\"awarded_amount\":\"100.00\",\"awarded_bonus_amount\":\"0.00\",\"awarded_currency\":\"USD\",\"created_at\":\"2022-07-05T18:50:22.684Z\",\"relationships\":{\"report\":{\"data\":{\"id\":\"1794536\",\"type\":\"report\",\"attributes\":{\"title\":\"Reflected XSS vulnerability in redirect_to parameter\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-07-01T18:50:22.684Z\",\"vulnerability_information\":\"This route is a full 30 meter pitch with a variety of climbing styles and sections. The full\\n100' pitch offers a little bit of everything for everyone. Featuring a bouldery start, jugs,\\ncrack, roof, traversing, crimps, face climbing, spaced bolts and airy falls this climb has\\neverything you want and nothing you don't... well, maybe another bolt or two!\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-07-03T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-07-01T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:30.484Z\",\"last_program_activity_at\":\"2022-07-03T18:50:22.684Z\",\"bounty_awarded_at\":\"2022-12-06T06:50:30.916Z\",\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-07-03T18:50:22.684Z\",\"last_activity_at\":\"2022-07-03T18:50:22.684Z\",\"source\":null,\"timer_bounty_awarded_elapsed_time\":0,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null}}}}}}]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794535\",\"type\":\"report\",\"attributes\":{\"title\":\"Administration backend vulnerable for blind XSS vulnerability\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-23T06:50:22.684Z\",\"vulnerability_information\":\"While installation, Airbnb Android app asks users to enter their phone number, email address,\\nand other personal details, which is verified by phone call or SMS message. After this,\\nwhenever users open the app, no login screen is ever shown again.\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-23T17:50:22.684Z\",\"closed_at\":\"2022-06-26T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-23T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:28.342Z\",\"last_program_activity_at\":\"2022-06-26T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-26T06:50:22.684Z\",\"last_activity_at\":\"2022-06-26T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770209\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:28.205Z\"}}},\"weakness\":{\"data\":{\"id\":\"618\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Symbolic Name not Mapping to Correct Object\",\"description\":\"A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.\",\"external_id\":\"cwe-386\",\"created_at\":\"2022-07-06T18:08:33.220Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274634\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"GOOGLE_PLAY_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.android\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for Android, available on the [Play Store](http://www.google.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.552Z\",\"updated_at\":\"2022-12-06T06:48:25.552Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794534\",\"type\":\"report\",\"attributes\":{\"title\":\"Reading local files through template parameter in article designer\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-14T18:50:22.684Z\",\"vulnerability_information\":\"This mega line has got to be the most striking multi-pitch route in the country, if not the\\nworld. It's possible to start at the very base of the tower using the Sheer Trickery\\napproach, but rumor has it Sheer Trickery is harder than the crux pitch of the Backbone\\n(and considering the fire power of the FA group - Wolfgang Gullich, Ron Kauk, and Alan Watts\\n- it's easy to believe).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":\"2022-06-15T14:50:22.684Z\",\"closed_at\":\"2022-06-18T18:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-14T18:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:26.156Z\",\"last_program_activity_at\":\"2022-06-18T18:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-18T18:50:22.684Z\",\"last_activity_at\":\"2022-06-18T18:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770208\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:50:26.015Z\"}}},\"weakness\":{\"data\":{\"id\":\"1316\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Web Services API Signature Forgery Leveraging Hash Function Extension Weakness\",\"description\":\"When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash (as described in the notes). Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\",\"external_id\":\"capec-461\",\"created_at\":\"2022-07-06T18:50:04.065Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794554\",\"type\":\"report\",\"attributes\":{\"title\":\"Previously used email address does not receive update confirmation\",\"main_state\":\"closed\",\"state\":\"informative\",\"created_at\":\"2022-06-06T06:51:18.490Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact!\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:51:18.490Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:18.490Z\",\"first_program_activity_at\":\"2022-12-06T06:51:19.957Z\",\"last_program_activity_at\":\"2022-06-07T06:51:18.490Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:51:18.490Z\",\"last_activity_at\":\"2022-06-07T06:51:18.490Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162754\",\"type\":\"user\",\"attributes\":{\"username\":\"whistler\",\"name\":\"Whistler\",\"disabled\":false,\"created_at\":\"2017-04-26T05:09:23.971Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/754/3780e1d81ee2601e22d10334912e3ad20a2b7d63_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://hackerone.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBanBoIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--80b9f2653aa72680d5f8e22741e7dc1cbaee1cd9/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCem9MWm05eWJXRjBTU0lJYW5CbkJqb0dSVlE2QzNKbGMybDZaVWtpRFRJMk1IZ3lOakErQmpzR1ZBPT0iLCJleHAiOm51bGwsInB1ciI6InZhcmlhdGlvbiJ9fQ==--9726248a94c94b83a5b6cbb2fd58f4294b385e20/hqdefault.jpg\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770228\",\"type\":\"severity\",\"attributes\":{\"rating\":\"none\",\"author_type\":\"User\",\"user_id\":162754,\"created_at\":\"2022-12-06T06:51:19.847Z\"}}},\"weakness\":{\"data\":{\"id\":\"922\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Incomplete Filtering of Special Elements\",\"description\":\"The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.\",\"external_id\":\"cwe-791\",\"created_at\":\"2022-07-06T18:27:54.523Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274635\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"APPLE_STORE_APP_ID\",\"asset_identifier\":\"com.jupiterone_demo.ios\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":\"JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)\",\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.589Z\",\"updated_at\":\"2022-12-06T06:48:25.589Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794552\",\"type\":\"report\",\"attributes\":{\"title\":\"CKEditor example directory publicly accessible\",\"main_state\":\"closed\",\"state\":\"not-applicable\",\"created_at\":\"2022-06-06T06:51:14.565Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-09T06:51:14.565Z\",\"last_reporter_activity_at\":\"2022-06-06T06:51:14.565Z\",\"first_program_activity_at\":\"2022-12-06T06:51:16.276Z\",\"last_program_activity_at\":\"2022-06-09T06:51:14.565Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-09T06:51:14.565Z\",\"last_activity_at\":\"2022-06-09T06:51:14.565Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":0},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162752\",\"type\":\"user\",\"attributes\":{\"username\":\"mother\",\"name\":\"Mother\",\"disabled\":false,\"created_at\":\"2017-04-26T05:07:10.045Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/2f1273a74e9b17bfb25d433ac78a2686ab083ed12e63d11ca3b31da70eedba66\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/ae82aa5f7be2e05a57516520164b42c77059b741fa7b91258fa363fc588c9569\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/3f43c7f253f127edb432f58178181a228f8af700ed64cecbe47060f84aee1062\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/752/dac78cb1e51ee68aa7f5677dc8b5cec16009fc91_original.jpg/09909021c68b73d00722ce31728426a020f745a6bf973d4addd1ac9acee20496\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770226\",\"type\":\"severity\",\"attributes\":{\"rating\":\"high\",\"author_type\":\"User\",\"user_id\":162752,\"created_at\":\"2022-12-06T06:51:16.164Z\"}}},\"weakness\":{\"data\":{\"id\":\"583\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Generation of Predictable Numbers or Identifiers\",\"description\":\"The product uses a scheme that generates numbers or identifiers that are more predictable than required.\",\"external_id\":\"cwe-340\",\"created_at\":\"2022-07-06T18:06:46.326Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274633\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"legacy.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"high\",\"created_at\":\"2022-12-06T06:48:25.519Z\",\"updated_at\":\"2022-12-06T06:48:25.519Z\",\"reference\":null,\"confidentiality_requirement\":\"medium\",\"integrity_requirement\":\"low\",\"availability_requirement\":\"low\"}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}},{\"id\":\"1794533\",\"type\":\"report\",\"attributes\":{\"title\":\"Unclaimed Amazon S3 bucket leads to marketing subdomain takeover\",\"main_state\":\"closed\",\"state\":\"resolved\",\"created_at\":\"2022-06-06T06:50:22.684Z\",\"vulnerability_information\":\"Start is shared with Moons of Pluto 5.10d, which then climbs the bolted arete on the right.\\nWell bolted all the way (anchor no longer shared with MoP).\\n\\n## Impact\\n\\nSuch impact\",\"triaged_at\":null,\"closed_at\":\"2022-06-07T06:50:22.684Z\",\"last_reporter_activity_at\":\"2022-06-06T06:50:22.684Z\",\"first_program_activity_at\":\"2022-12-06T06:50:24.019Z\",\"last_program_activity_at\":\"2022-06-07T06:50:22.684Z\",\"bounty_awarded_at\":null,\"swag_awarded_at\":null,\"disclosed_at\":null,\"reporter_agreed_on_going_public_at\":null,\"last_public_activity_at\":\"2022-06-07T06:50:22.684Z\",\"last_activity_at\":\"2022-06-07T06:50:22.684Z\",\"cve_ids\":[],\"source\":null,\"timer_bounty_awarded_elapsed_time\":null,\"timer_bounty_awarded_miss_at\":null,\"timer_first_program_response_miss_at\":null,\"timer_first_program_response_elapsed_time\":0,\"timer_report_resolved_miss_at\":null,\"timer_report_resolved_elapsed_time\":null,\"timer_report_triage_miss_at\":null,\"timer_report_triage_elapsed_time\":null},\"relationships\":{\"reporter\":{\"data\":{\"id\":\"162753\",\"type\":\"user\",\"attributes\":{\"username\":\"liz\",\"name\":\"Liz\",\"disabled\":false,\"created_at\":\"2017-04-26T05:08:25.577Z\",\"profile_picture\":{\"62x62\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4\",\"82x82\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9\",\"110x110\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/4de4742e9f2080cae5560af6ba87bfc10d4615dcad7477b4736323d9aefd0955\",\"260x260\":\"https://profile-photos.hackerone-user-content.com/variants/000/162/753/a2a8a05af93e5241b553ba69ec28a8e561d16566_original.png/86bca9490b71a481329efc85de3a82a98f6c29475f4926fd2b5fc844b96899c0\"},\"bio\":\"\",\"website\":null,\"location\":\"\",\"hackerone_triager\":false}}},\"program\":{\"data\":{\"id\":\"60700\",\"type\":\"program\",\"attributes\":{\"handle\":\"jupiterone_demo_h1b\",\"created_at\":\"2022-12-06T06:48:21.077Z\",\"updated_at\":\"2023-01-03T16:40:48.593Z\"}}},\"severity\":{\"data\":{\"id\":\"1770207\",\"type\":\"severity\",\"attributes\":{\"rating\":\"medium\",\"author_type\":\"User\",\"user_id\":162753,\"created_at\":\"2022-12-06T06:50:23.866Z\"}}},\"weakness\":{\"data\":{\"id\":\"102\",\"type\":\"weakness\",\"attributes\":{\"name\":\"Client-Side Enforcement of Server-Side Security\",\"description\":\"The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.\",\"external_id\":\"cwe-602\",\"created_at\":\"2017-03-10T18:53:51.436Z\"}}},\"structured_scope\":{\"data\":{\"id\":\"274632\",\"type\":\"structured-scope\",\"attributes\":{\"asset_type\":\"URL\",\"asset_identifier\":\"api.jupiterone.com\",\"eligible_for_bounty\":true,\"eligible_for_submission\":true,\"instruction\":null,\"max_severity\":\"critical\",\"created_at\":\"2022-12-06T06:48:25.488Z\",\"updated_at\":\"2022-12-06T06:48:25.488Z\",\"reference\":null}}},\"bounties\":{\"data\":[]},\"custom_field_values\":{\"data\":[]}}}],\"links\":{\"self\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=3\",\"first\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=1\",\"prev\":\"https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=jupiterone_demo_h1b\\u0026page%5Bnumber%5D=2\"}}" }, "cookies": [], "headers": [ { "name": "date", - "value": "Mon, 19 Dec 2022 23:02:32 GMT" + "value": "Mon, 23 Jan 2023 10:02:12 GMT" }, { "name": "content-type", @@ -354,7 +797,7 @@ }, { "name": "connection", - "value": "close" + "value": "keep-alive" }, { "name": "vary", @@ -362,11 +805,11 @@ }, { "name": "x-request-id", - "value": "c301cb1c-bc85-490c-af52-4f5553ab0265" + "value": "6ffcbd75-3174-4a61-a35c-6aa22dac1c45" }, { "name": "etag", - "value": "W/\"382fcaa7119aa9daa6a9feda4a198b65\"" + "value": "W/\"2ad09b624fee4df0e6f94ce078cd12d7\"" }, { "name": "cache-control", @@ -406,7 +849,7 @@ }, { "name": "content-security-policy", - "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" + "value": "default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src www.youtube-nocookie.com; connect-src 'self' errors.hackerone.net *.browser-intake-datadoghq.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src hackerone.integration-configuration.com api-60d81e65.duosecurity.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; media-src 'self' marketing-assets.hackerone-user-content.com hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/security/?sentry_key=374aea95847f4040a69f9c8d49a3a59d&sentry_environment=production" }, { "name": "cf-cache-status", @@ -418,17 +861,17 @@ }, { "name": "cf-ray", - "value": "77c3c42c480a27d8-SLC" + "value": "78dfb1390efe0448-HKG" } ], - "headersSize": 1514, + "headersSize": 1563, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2022-12-19T23:02:30.857Z", - "time": 1426, + "startedDateTime": "2023-01-23T10:02:10.367Z", + "time": 1682, "timings": { "blocked": -1, "connect": -1, @@ -436,7 +879,7 @@ "receive": 0, "send": 0, "ssl": -1, - "wait": 1426 + "wait": 1682 } } ], diff --git a/src/steps/report/converter.ts b/src/steps/report/converter.ts index 1b2d744..4574b21 100644 --- a/src/steps/report/converter.ts +++ b/src/steps/report/converter.ts @@ -1,5 +1,6 @@ import { createMappedRelationship, + Entity, parseTimePropertyValue, Relationship, RelationshipClass, @@ -11,7 +12,6 @@ import { AttackEntity, FindingEntity, FindingWeaknessRelationship, - ProgramEntity, Report, ReportAttributes, ReportRelationships, @@ -24,6 +24,7 @@ import { export function createFindingEntity(report: Report): FindingEntity { const attributes: ReportAttributes = report.attributes; const relationships: ReportRelationships = report.relationships; + const structuredScopeId = report.relationships.structured_scope?.data.id; let details; if (relationships.severity) { @@ -32,7 +33,7 @@ export function createFindingEntity(report: Report): FindingEntity { {}; details = { severity: severity.rating, - score: severity.score ?? 0, + score: severity.score, scope: severity.scope, numericSeverity: severity.score ?? 0, vector: severity.attack_vector, @@ -91,17 +92,60 @@ export function createFindingEntity(report: Report): FindingEntity { relationships.reporter.data.attributes) || {}; + let impact; + if (attributes.vulnerability_information.includes('## Impact')) { + const impactString = + attributes.vulnerability_information.split('## Impact'); + if (impactString.length > 1) { + impact = impactString[1].replace(/[\n\r]/g, ''); + } + } + + let remediation; + if (attributes.vulnerability_information.includes('# Remediation')) { + const remediationString = + attributes.vulnerability_information.split('# Remediation'); + remediation = remediationString[1].replace(/[\n\r]/g, '').split('#'); + if (remediation.length > 1) { + remediation = remediation[0].replace(/[\n\r]/g, ''); + } + } + + let reference; + if (relationships.weakness?.data.attributes.external_id.startsWith('cwe-')) { + reference = `https://cwe.mitre.org/data/definitions/${ + relationships.weakness?.data.attributes.external_id.split('-')[1] + }.html`; + } else if ( + relationships.weakness?.data.attributes.external_id.startsWith('cve-') + ) { + reference = `https://nvd.nist.gov/vuln/detail/${ + relationships.weakness?.data.attributes.external_id.split('-')[1] + }`; + } + + let isCve, isCwe; + if (relationships.weakness?.data.attributes.external_id) { + isCve = relationships.weakness?.data.attributes.external_id + .toLowerCase() + .startsWith('cve-'); + isCwe = relationships.weakness?.data.attributes.external_id + .toLowerCase() + .startsWith('cwe-'); + } + return { _class: Entities.REPORT._class, _key: `hackerone-report-${report.id}`, _type: Entities.REPORT._type, id: report.id, type: report.type, - title: attributes.title, - name: attributes.title, + name: relationships.weakness?.data.attributes.name || attributes.title, category: 'other', displayName: attributes.title, - details: attributes.vulnerability_information, + description: + relationships.weakness?.data.attributes.description || + attributes.vulnerability_information, state: attributes.state, open: attributes.state === 'new' || @@ -126,13 +170,20 @@ export function createFindingEntity(report: Report): FindingEntity { webLink: `https://hackerone.com/bugs?report_id=${report.id}`, scope: details.scope, targets: [target], + structuredScopeId, + + impact, + isCve, + isCwe, + recommendations: remediation, + reference, ...details, }; } export function createProgramReportedFindingRelationship( - program: ProgramEntity, - finding: FindingEntity, + program: Entity, + finding: Entity, ): ServiceFindingRelationship { return { _class: RelationshipClass.IDENTIFIED, @@ -178,7 +229,7 @@ export function createFindingToVulnRelationship( export function createWeaknessEntity( weakness: Weakness, ): WeaknessEntity | AttackEntity | undefined { - const attributes = weakness.attributes; + const attributes = weakness.data.attributes; if (attributes && attributes.external_id) { const id = attributes.external_id.toLowerCase(); if (id.startsWith('cwe-')) { diff --git a/src/steps/report/index.test.ts b/src/steps/report/index.test.ts index 8d28755..cd6fabd 100644 --- a/src/steps/report/index.test.ts +++ b/src/steps/report/index.test.ts @@ -8,7 +8,8 @@ let recording: Recording; afterEach(async () => { await recording.stop(); }); -test.skip('fetch-reports', async () => { + +test('fetch-reports', async () => { recording = setupProjectRecording({ directory: __dirname, name: 'fetch-reports', @@ -16,5 +17,29 @@ test.skip('fetch-reports', async () => { const stepConfig = buildStepTestConfigForStep(Steps.REPORTS); const stepResult = await executeStepWithDependencies(stepConfig); + + const { collectedEntities, collectedRelationships } = stepResult; + + expect( + collectedEntities.some((entity) => entity._type === 'hackerone_report'), + ).toBe(true); + expect( + collectedRelationships.some( + (relationship) => + relationship._type === 'hackerone_program_reported_finding', + ), + ).toBe(true); +}); + +test('build-program-assets-reports-relationships', async () => { + recording = setupProjectRecording({ + directory: __dirname, + name: 'build-program-assets-reports-relationships', + }); + + const stepConfig = buildStepTestConfigForStep( + Steps.PROGRAM_ASSETS_REPORTS_RELATIONSHIPS, + ); + const stepResult = await executeStepWithDependencies(stepConfig); expect(stepResult).toMatchStepMetadata(stepConfig); }); diff --git a/src/steps/report/index.ts b/src/steps/report/index.ts index a234d96..f0fd37a 100644 --- a/src/steps/report/index.ts +++ b/src/steps/report/index.ts @@ -1,6 +1,9 @@ import { + createDirectRelationship, + getRawData, IntegrationStep, IntegrationStepExecutionContext, + RelationshipClass, } from '@jupiterone/integration-sdk-core'; import { IntegrationConfig } from '../../config'; @@ -19,49 +22,90 @@ import { createWeaknessEntity, } from './converter'; import { createAPIClient } from '../../client'; -import { PROGRAM_ENTITY_KEY } from '../program'; -import { FindingEntity, ProgramEntity } from '../../types'; +import { FindingEntity, HackerOneProgram } from '../../types'; +import { getProgramAssetKey } from '../program-asset/converter'; export async function fetchReports({ jobState, + logger, instance, }: IntegrationStepExecutionContext) { const { config } = instance; const apiClient = createAPIClient(config); - await apiClient.iterateReports( - config.hackeroneProgramHandle, - async (report) => { - const findingEntity = (await jobState.addEntity( - createFindingEntity(report), - )) as FindingEntity; + await jobState.iterateEntities( + { _type: Entities.PROGRAM._type }, + async (programEntity) => { + const program = getRawData(programEntity); - const programEntity = (await jobState.getData( - PROGRAM_ENTITY_KEY, - )) as ProgramEntity; + if (!program) { + logger.warn( + `Can not get raw data for program entity ${programEntity._key}`, + ); + return; + } - await jobState.addRelationship( - createProgramReportedFindingRelationship(programEntity, findingEntity), - ); + await apiClient.iterateReports( + program.attributes.handle, + async (report) => { + const findingEntity = (await jobState.addEntity( + createFindingEntity(report), + )) as FindingEntity; - for (const cveId of report.attributes.cve_ids || []) { - const vuln = createVulnerabilityEntity(cveId); - if (vuln) { await jobState.addRelationship( - createFindingToVulnRelationship(findingEntity, vuln), + createProgramReportedFindingRelationship( + programEntity, + findingEntity, + ), ); - } - } - if (report.relationships.weakness) { - const weaknessEntity = createWeaknessEntity( - report.relationships.weakness, + for (const cveId of report.attributes.cve_ids || []) { + const vuln = createVulnerabilityEntity(cveId); + if (vuln) { + await jobState.addRelationship( + createFindingToVulnRelationship(findingEntity, vuln), + ); + } + } + + if (report.relationships.weakness) { + const weaknessEntity = createWeaknessEntity( + report.relationships.weakness, + ); + if (weaknessEntity) { + await jobState.addRelationship( + createFindingWeaknessRelationship( + findingEntity, + weaknessEntity, + ), + ); + } + } + }, + ); + }, + ); +} + +export async function buildFindingAssetRelationships({ + jobState, +}: IntegrationStepExecutionContext) { + await jobState.iterateEntities( + { _type: Entities.REPORT._type }, + async (findingEntity: FindingEntity) => { + const structuredScopeId = findingEntity.structuredScopeId; + const programAssetEntity = structuredScopeId + ? await jobState.findEntity(getProgramAssetKey(structuredScopeId)) + : undefined; + + if (programAssetEntity) { + await jobState.addRelationship( + createDirectRelationship({ + _class: RelationshipClass.HAS, + from: programAssetEntity, + to: findingEntity, + }), ); - if (weaknessEntity) { - await jobState.addRelationship( - createFindingWeaknessRelationship(findingEntity, weaknessEntity), - ); - } } }, ); @@ -77,7 +121,15 @@ export const reportSteps: IntegrationStep[] = [ MappedRelationships.FINDING_EXPLOITS_WEAKNESS, MappedRelationships.FINDING_IS_VULNERABILITY, ], - dependsOn: [Steps.PROGRAM], + dependsOn: [Steps.PROGRAMS, Steps.PROGRAM_ASSETS], executionHandler: fetchReports, }, + { + id: Steps.PROGRAM_ASSETS_REPORTS_RELATIONSHIPS, + name: 'Build Program Assets and Reports Relationships', + entities: [], + relationships: [Relationships.PROGRAM_ASSET_HAS_FINDING], + dependsOn: [Steps.REPORTS, Steps.PROGRAM_ASSETS], + executionHandler: buildFindingAssetRelationships, + }, ]; diff --git a/src/types.ts b/src/types.ts index 8226fea..b053f83 100644 --- a/src/types.ts +++ b/src/types.ts @@ -37,6 +37,7 @@ export interface FindingEntity extends Entity { totalAmountAwarded?: number; hackerAlias: string; hackerProfilePic?: string; + structuredScopeId?: string; } export interface VulnerabilityEntity extends Entity { @@ -116,13 +117,15 @@ export interface Severity { } export interface Weakness { - id: string; - type?: string; - attributes: { - name: string; - description: string; - external_id?: string; - created_at: Date; + data: { + id: string; + type?: string; + attributes: { + name: string; + description: string; + external_id: string; + created_at: Date; + }; }; } @@ -152,8 +155,46 @@ export interface Bounty { export interface StructuredScope { data: { + id: string; attributes: { asset_identifier: string; }; }; } + +export interface HackerOneOrganization { + id: string; + type: string; + attributes: { + handle: string; + created_at: string; + updated_at: string; + }; +} + +export interface HackerOneProgram { + id: string; + type: string; + attributes: { + handle: string; + policy: string; + created_at: string; + updated_at: string; + }; +} + +export interface HackerOneStructuredScope { + id: string; + type: string; + attributes: { + asset_type: string; + asset_identifier: string; + eligible_for_bounty: boolean; + eligible_for_submission: boolean; + instruction: string; + max_severity: string; + created_at: string; + updated_at: string; + reference: string; + }; +} diff --git a/yarn.lock b/yarn.lock index 28a96e3..5633045 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4519,6 +4519,13 @@ nock@^13.2.1: lodash "^4.17.21" propagate "^2.0.0" +node-fetch@2: + version "2.6.8" + resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.8.tgz#a68d30b162bc1d8fd71a367e81b997e1f4d4937e" + integrity sha512-RZ6dBYuj8dRSfxpUSu+NsdF1dpPpluJxwOp+6IoDp/sH2QNDSvurYsAa+F1WxY2RjA1iP93xhcsUoYbF2XBqVg== + dependencies: + whatwg-url "^5.0.0" + node-fetch@2.6.7, node-fetch@^2.6.7: version "2.6.7" resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.7.tgz#24de9fba827e3b4ae44dc8b20256a379160052ad"