diff --git a/lib/bounty-targets/hackenproof.rb b/lib/bounty-targets/hackenproof.rb index 75f73a7..187e4a2 100644 --- a/lib/bounty-targets/hackenproof.rb +++ b/lib/bounty-targets/hackenproof.rb @@ -35,19 +35,19 @@ def directory_index programs = [] ::Kernel.loop do - document = ::Nokogiri::HTML(::SsrfFilter.get("https://hackenproof.com/programs?page=#{page}").body) - programs.concat(document.css('div.bounty-programs-list--items').map do |node| - link = node.css('div.program-title a').first + document = ::JSON.parse(::SsrfFilter.get("https://hackenproof.com/bug-bounty-programs-list?page=#{page}").body) + programs.concat(document['programs'].map do |program| { - id: link.attributes['href'].value, - name: link.inner_text.strip, - url: URI.join('https://hackenproof.com', link.attributes['href'].value).to_s, - archived: node.classes.include?('archived-program'), - triaged_by_hackenproof: !node.css('.triaged-by').empty? + id: program['id'], + name: program['program_name'].strip, + slug: program['slug'], + url: "https://hackenproof.com/programs/#{program['slug']}", + archived: program['status'] == 'archived', + triaged_by_hackenproof: program['managed_by_company_name'] == 'HackenProof' } end) - break if document.css('.next').empty? + break if document['next_page'].nil? page += 1 end @@ -57,38 +57,31 @@ def directory_index def program_scopes(program) retryable do - response = ::SsrfFilter.get(program[:url]) - raise StandardError, "#{response.code} response from Hackenproof" unless response.code == '200' - - document = ::Nokogiri::HTML(response.body) - h4s = document.css('div#in_scope h4') + response = ::JSON.parse(::SsrfFilter.get("https://hackenproof.com/bug-bounty-programs-list/#{program[:slug]}").body) + grouped = response['scopes'].group_by do |scope| + scope['out_of_scope'] + end { targets: { - in_scope: scopes_to_hashes(h4s[0]), - out_of_scope: scopes_to_hashes(h4s[1]) + in_scope: (grouped[false] || []).map do |scope| + normalize_scope(scope) + end, + out_of_scope: (grouped[true] || []).map do |scope| + normalize_scope(scope) + end } } end end - def scopes_to_hashes(tag) - return [] unless tag - - table = ::Kernel.loop do - tag = tag.next - break tag if tag.name == 'table' - end - - table.css('tbody > tr').map do |row| - scopes_target = row.css('.scopes-target-inner') - { - target: scopes_target.css('h5').remove.inner_text.strip, - type: row.css('.type-cell').inner_text.strip, - instruction: scopes_target.inner_text.strip, - severity: row.css('.severity-cell').inner_text.strip, - reward: row.css('.reward-cell').inner_text.strip - } - end + def normalize_scope(scope) + { + target: scope['target'], + type: scope['type'], + instruction: (scope['target_description'] || '').strip, + severity: scope['severity'], + reward: scope['reward_type'] + } end end end diff --git a/spec/bounty-targets/hackenproof_spec.rb b/spec/bounty-targets/hackenproof_spec.rb index ad0e040..a991ecf 100644 --- a/spec/bounty-targets/hackenproof_spec.rb +++ b/spec/bounty-targets/hackenproof_spec.rb @@ -8,61 +8,43 @@ end it 'fetches a list of programs' do - stub_request(:get, %r{/programs\?page=1}).with(headers: {host: 'hackenproof.com'}).to_return(status: 200, - body: File.read('spec/fixtures/hackenproof/programs_1.html')) - stub_request(:get, %r{/programs\?page=2}).with(headers: {host: 'hackenproof.com'}).to_return(status: 200, - body: File.read('spec/fixtures/hackenproof/programs_2.html')) + stub_request(:get, %r{/bug-bounty-programs-list\?page=1}).with(headers: {host: 'hackenproof.com'}).to_return(status: + 200, body: File.read('spec/fixtures/hackenproof/programs_1.json')) + stub_request(:get, %r{/bug-bounty-programs-list\?page=2}).with(headers: {host: 'hackenproof.com'}).to_return(status: + 200, body: File.read('spec/fixtures/hackenproof/programs_2.json')) expect(client.directory_index).to eq( - [{id: '/hacken/hackenproof', name: 'HackenProof', url: 'https://hackenproof.com/hacken/hackenproof', - archived: false, triaged_by_hackenproof: true}, - {id: '/kuna/kuna-crypto-exchange', name: 'Kuna Crypto Exchange', - url: 'https://hackenproof.com/kuna/kuna-crypto-exchange', archived: false, triaged_by_hackenproof: true}, - {id: '/vechain/vechainthor', name: 'VeChainThor', url: 'https://hackenproof.com/vechain/vechainthor', - archived: false, triaged_by_hackenproof: true}, - {id: '/vechain/vechainthor-wallet', name: 'VeChainThor Wallet', - url: 'https://hackenproof.com/vechain/vechainthor-wallet', archived: false, triaged_by_hackenproof: true}, - {id: '/gate-dot-io/gate-dot-io-exchange', name: 'Gate.io Exchange', url: - 'https://hackenproof.com/gate-dot-io/gate-dot-io-exchange', archived: false, triaged_by_hackenproof: false}, - {id: '/coingecko/coingecko', name: 'CoinGecko', url: 'https://hackenproof.com/coingecko/coingecko', - archived: false, triaged_by_hackenproof: true}, - {id: '/p2pb2b/p2pb2b', name: 'P2PB2B', url: 'https://hackenproof.com/p2pb2b/p2pb2b', - archived: false, triaged_by_hackenproof: false}, - {id: '/coinsbit/coinsbit', name: 'Coinsbit', url: 'https://hackenproof.com/coinsbit/coinsbit', - archived: false, triaged_by_hackenproof: false}, - {id: '/hotbit/hotbit', name: 'Hotbit', url: 'https://hackenproof.com/hotbit/hotbit', - archived: false, triaged_by_hackenproof: true}, - {id: '/whitebit/whitebit', name: 'WhiteBIT', url: 'https://hackenproof.com/whitebit/whitebit', - archived: false, triaged_by_hackenproof: false}, - {id: '/vechain/vechainthor-vip191', name: 'VeChainThor VIP191', - url: 'https://hackenproof.com/vechain/vechainthor-vip191', archived: true, triaged_by_hackenproof: false}] + [ + { + archived: true, + id: '63517622fd18045e8d9b72bc', + name: 'VirtuSwap DEX APP', + slug: 'virtuswap-dex-app-1', + triaged_by_hackenproof: true, + url: 'https://hackenproof.com/programs/virtuswap-dex-app-1' + } + ] ) end it 'fetches program scopes' do - scopes = File.read('spec/fixtures/hackenproof/scopes.html') - stub_request(:get, %r{/hacken/hackenproof}).with(headers: {host: 'hackenproof.com'}) + scopes = File.read('spec/fixtures/hackenproof/scopes.json') + stub_request(:get, %r{/bug-bounty-programs-list/my-program}).with(headers: {host: 'hackenproof.com'}) .to_return(status: 200, body: scopes) - expect(client.program_scopes(url: 'https://hackenproof.com/hacken/hackenproof')).to eq( - targets: { - in_scope: [ - { - instruction: 'HackenProof main site', - reward: 'Bounty', - type: 'Web', - target: 'hackenproof.com', - severity: 'Critical' - } - ], - out_of_scope: [ - { - target: 'blog.hackenproof.com', - type: 'Web', - instruction: 'Our Blog', - severity: 'None', - reward: '' - } - ] + expect(client.program_scopes(slug: 'my-program')).to eq( + { + targets: { + in_scope: [ + { + instruction: 'Polygon POS - Heimdall', + reward: 'Bounty', + severity: 'Critical', + type: 'Other', + target: 'https://github.com/maticnetwork/heimdall/' + } + ], + out_of_scope: [] + } } ) end diff --git a/spec/fixtures/hackenproof/programs_1.html b/spec/fixtures/hackenproof/programs_1.html deleted file mode 100644 index 4a92b95..0000000 --- a/spec/fixtures/hackenproof/programs_1.html +++ /dev/null @@ -1,1787 +0,0 @@ - - - - -Crypto Bug Bounty Programs 2022 | HackenProof - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
-
- - -
-
- -
- -
- -
-
-
-
-

Bug Bounty Programs 2022

-Explore all HackenProof’s programs below or filter the tech
stack you work best with: let the bug hunt begin!
-
-
-
-
Total bug bounty
-
37
-
-
-
Money for reward
-
$ 553 660
-
-
-
Total received reports
-
5730
-
-
-
-
-
-
-
-
- -
Select types
-
-All - -web - -mobile - -blockchain - -smart contract - -desktop - -API - -database - -infrastructure - -
- - -
-
- -
Select categories
-
-All - -Network - -Infrastructure - -Tools - -DeFi - -CEX - -DEX - -Protocol - -Platform - -Wallet - -NFT - -GameFi - -
- - -
-
- -
Sort by
-
-
-
-Added: Oldest to Newest -
-
-
-
-Added: Newest to Oldest -
-
-
- -
- -
-
-
-
-
-
-
- -
-
-
-
-HackenProof - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-HackenProof - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals. - -

- -
-
-
-
-Category -
-
- -Infrastructure -
-
- -Platform -
-
-
-
-Type -
- -web - -
-
-
-
-
-
-Duration -09 Oct 2019 -- - -
-
-

- -Submitted reports -583 - - -Hackers -246 - -

- -Total rewarded -$13496.57 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-Kuna Crypto Exchange - -
-$ 5,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-Kuna Crypto Exchange - -
-$ 5,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-The first public crypto exchange, which launched the development of basic infrastructure for the innovative finteсh-projects both in Ukraine and in foreign markets. TOP cryptocurrencies and tokens, high level of security and reliability, user-friendly interface, advanced API and respectful customer support round the clock. - -

- -
-
-
-
-CyberSec rating -
- -
-
- -
-C -
-
-Category -
-
- -DEX -
-
- -CEX -
-
- -Tools -
-
- -Infrastructure -
-
- -Platform -
-
-
-
-Type -
- -web - -
-
-
-
-
-
-Duration -21 Jan 2020 -- - -
-
-

- -Submitted reports -388 - - -Hackers -230 - -

- -Total rewarded -$8898.3 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-VeChainThor - -
-$ 10,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-VeChainThor - -
-$ 10,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-Cybersecurity of the company and the security of our users' data is a top priority for -us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay -rewards. - -

- -
-
-
-
-Type -
- -blockchain - -
-
-
-
-
-
-Duration -22 Aug 2019 -- - -
-
-

- -Submitted reports -36 - - -Hackers -23 - -

- -Total rewarded -$696.15 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-VeChainThor Wallet - -
-$ 3,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-VeChainThor Wallet - -
-$ 3,000 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-Cybersecurity of the company and the security of our users' data is a top priority for -us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay -rewards. - -

- -
-
-
-
-Category -
-
- -Wallet -
-
- -Infrastructure -
-
-
-
-Type -
- -mobile - -
-
-
-
-
-
-Duration -22 Aug 2019 -- - -
-
-

- -Submitted reports -34 - - -Hackers -24 - -

- -Total rewarded -$300.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-Gate.io Exchange - -
-$ 5,000 -
-
-Explore program -
-
-
-
-
-
-Gate.io Exchange - -
-$ 5,000 -
-
-
-
-
-

-Gate.io is one of the oldest cryptocurrency exchanges from China operating since 2013. - -

- -
-
-
-
-CyberSec rating -
- -
-
- -
-BBB -
-
-Category -
-
- -Platform -
-
- -DEX -
-
- -CEX -
-
-
-
-Type -
- -web - - -mobile - - -desktop - -
-
-
-
-
-
-Duration -19 Aug 2021 -- - -
-
-

- -Submitted reports -178 - - -Hackers -99 - -

- -Total rewarded -$2650.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-CoinGecko - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-CoinGecko - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-CoinGecko provides a fundamental analysis of the crypto market. In addition to tracking price, volume and market capitalization, CoinGecko tracks community growth, open-source code development, major events and on-chain metrics. - -

- -
-
-
-
-Category -
-
- -Infrastructure -
-
- -Platform -
-
- -NFT -
-
- -Tools -
-
-
-
-Type -
- -web - - -mobile - -
-
-
-
-
-
-Duration -17 Jan 2021 -- - -
-
-

- -Submitted reports -184 - - -Hackers -112 - -

- -Total rewarded -$1700.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-P2PB2B - -
-$ 1,000 -
-
-Explore program -
-
-
-
-
-
-P2PB2B - -
-$ 1,000 -
-
-
-
-
-

-P2PB2B is an advanced cryptocurrency exchange that works for the benefit of its users. In order to make your trading even more convenient and safe, the platform has all the necessary features and tools. - -

- -
-
-
-
-Category -
-
- -Platform -
-
- -Tools -
-
-
-
-Type -
- -web - -
-
-
-
-
-
-Duration -11 Mar 2021 -- - -
-
-

- -Submitted reports -69 - - -Hackers -41 - -

- -Total rewarded -$1800.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-Coinsbit - -
-$ 1,200 -
-
-Explore program -
-
-
-
-
-
-Coinsbit - -
-$ 1,200 -
-
-
-
-
-

-Launched in August 2018, Coinsbit is a centralized exchange based in Estonia. The team claims that the number of Coinsbit users is 2,000,000. Coinsbit supports cryptocurrency pairs, 6+ fiat gateways and OTC trading, as well as P2P-lending platform. - -

- -
-
-
-
-CyberSec rating -
- -
-
- -
-BB -
-
-Category -
-
- -Tools -
-
- -DEX -
-
- -Platform -
-
-
-
-Type -
- -web - - -mobile - -
-
-
-
-
-
-Duration -28 Oct 2020 -- - -
-
-

- -Submitted reports -164 - - -Hackers -96 - -

- -Total rewarded -$300.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-Hotbit - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-Explore program -
-
-
-
-
-
-Hotbit - -
-$ 1,500 -
-
-
- -Triaged by HackenProof -
-

Triaged by HackenProof

-All bug reports are validated and managed by our professional team. We guarantee the program's SLA on time. -
-
-
-
-
-

-The World's Leading Cryptocurrency Trading Platform - -

- -
-
-
-
-CyberSec rating -
- -
-
- -
-BBB -
-
-Category -
-
- -Network -
-
- -Platform -
-
- -DEX -
-
-
-
-Type -
- -web - - -mobile - -
-
-
-
-
-
-Duration -26 Nov 2020 -- - -
-
-

- -Submitted reports -118 - - -Hackers -69 - -

- -Total rewarded -$12200.0 - -
-

-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-WhiteBIT - -
-$ 5,000 -
-
-Explore program -
-
-
-
-
-
-WhiteBIT - -
-$ 5,000 -
-
-
-
-
-

-Launched in 2018, WhiteBIT is a cryptocurrency exchange with 300K+ users in Europe, Asia, and the CIS countries. Built on cutting-edge technology WhiteBIT provides an institutional-grade experience for professional and novice customers alike. - -

- -
-
-
-
-Category -
-
- -Tools -
-
- -Infrastructure -
-
-
-
-Type -
- -web - - -mobile - -
-
-
-
-
-
-Duration -20 Nov 2020 -- - -
-
-

- -Submitted reports -48 - - -Hackers -28 - -

- -Total rewarded -$3751.0 - -
-

-
-
-
-
-
- - - -
-
-
- -
- - - - - - - - - - - - - - - - - diff --git a/spec/fixtures/hackenproof/programs_1.json b/spec/fixtures/hackenproof/programs_1.json new file mode 100644 index 0000000..f5e8620 --- /dev/null +++ b/spec/fixtures/hackenproof/programs_1.json @@ -0,0 +1,34 @@ +{ + "programs": [ + { + "id": "63517622fd18045e8d9b72bc", + "slug": "virtuswap-dex-app-1", + "url": "/api/v1/programs/virtuswap-dex-app-1", + "program_name": "VirtuSwap DEX APP", + "program_logo": "https://dashboard.hackenproof.com/uploads/bounty_program/logo/63517622fd18045e8d9b72bc/logo.png?1720297251", + "program_description": "VirtuSwap uses a novel pool architecture, based on reserve-powered virtual liquidity pools, which solve the problem of triangular trading by making every trade direct — even in the absence of a corresponding pool, and generates up to 50% savings.", + "start_date": "21 Dec 2022", + "end_date": "12 Sep 2023", + "last_update": "06 Jul 2024", + "submitted_reports": 21, + "min_bounty": "50.0", + "max_bounty": "5000.0", + "status": "archived", + "audit_program": false, + "private": false, + "managed_by_company_name": "HackenProof", + "new_program": false, + "total_rewards": 400, + "skills": [ + "web" + ], + "categories": [ + "Platform" + ] + } + ], + "page": 20, + "total_pages": 21, + "next_page": 21, + "prev_page": 19 +} \ No newline at end of file diff --git a/spec/fixtures/hackenproof/programs_2.html b/spec/fixtures/hackenproof/programs_2.html deleted file mode 100644 index e30d333..0000000 --- a/spec/fixtures/hackenproof/programs_2.html +++ /dev/null @@ -1,700 +0,0 @@ - - - - -Crypto Bug Bounty Programs 2022 | HackenProof - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
-
- - -
-
- -
- -
- -
-
-
-
-

Bug Bounty Programs 2022

-Explore all HackenProof’s programs below or filter the tech
stack you work best with: let the bug hunt begin!
-
-
-
-
Total bug bounty
-
37
-
-
-
Money for reward
-
$ 553 660
-
-
-
Total received reports
-
5730
-
-
-
-
-
-
-
-
- -
Select types
-
-All - -web - -mobile - -blockchain - -smart contract - -desktop - -API - -database - -infrastructure - -
- - -
-
- -
Select categories
-
-All - -Network - -Infrastructure - -Tools - -DeFi - -CEX - -DEX - -Protocol - -Platform - -Wallet - -NFT - -GameFi - -
- - -
-
- -
Sort by
-
-
-
-Added: Oldest to Newest -
-
-
-
-Added: Newest to Oldest -
-
-
- -
- -
-
-
-
-
-
-
- -
-
-

-archived -

-
-
-
-
-VeChainThor VIP191 - -
-$ 10,000 -
-
-Explore program -
-
-
-
-
-
-VeChainThor VIP191 - -
-$ 10,000 -
-
-
-
-
-

-VeChainThor VIP191 Designated Gas Payer function - -

-
-
-
-
-
-
-
-

Ended 1071 days ago

-
-
-

- -Submitted reports -1 - - -Hackers -1 - -

-
-
-
-
-
- - - -
-
-
- -
- - - - - - - - - - - - - - - - - diff --git a/spec/fixtures/hackenproof/programs_2.json b/spec/fixtures/hackenproof/programs_2.json new file mode 100644 index 0000000..d2e27df --- /dev/null +++ b/spec/fixtures/hackenproof/programs_2.json @@ -0,0 +1,8 @@ +{ + "programs": [ + ], + "page": 21, + "total_pages": 21, + "next_page": null, + "prev_page": 20 +} \ No newline at end of file diff --git a/spec/fixtures/hackenproof/scopes.html b/spec/fixtures/hackenproof/scopes.html deleted file mode 100644 index 0f31608..0000000 --- a/spec/fixtures/hackenproof/scopes.html +++ /dev/null @@ -1,978 +0,0 @@ - - - - -HackenProof: Program Info | HackenProof - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
-
- - -
-
- -
- -
- -
-
-
-
-
-
-
-
-
-
-

-HackenProof: Program Info -

-
- -Triaged by HackenProof -
-
-Hacken -
- -
-
- -
-
- -
-
-
-
-
-
-
-
-

HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals.

- -
-
-
-
-

- -Scope -

-
-
-
-
-

In Scope

- - - - - - - - - - - - - - - - - -
TargetTypeSeverityReward
-
-
hackenproof.com
-
    -
  • HackenProof main site
  • -
- -
-
Web -Critical -Bounty
-

Out of scope

- - - - - - - - - - - - - - - -
TargetTypeSeverity
-
-
blog.hackenproof.com
-
    -
  • Our Blog
  • -
- -
-
Web -None -
-
-
-
-
- -
-
-

In-Scope Vulnerabilities

- -
- -

We are interested in next web vulnerabilities:

- -
    -
  • Business Logic
  • -
  • Remote code execution (RCE)
  • -
  • Database vulnerability, SQLi
  • -
  • Cross Site Scripting (XSS)
  • -
  • Privilege escalation
  • -
  • Sensitive data exposure (IDOR, etc.)
  • -
  • Authentication bypass
  • -
  • Obtaining sensitive information
  • -
  • Password attacks
  • -
  • Cross-Site Request Forgery (CSRF)
  • -
  • Server Side Request Forgery (SSRF)
  • -
- -

Out-of-Scope Vulnerabilities

- -
- -

In general, the following vulnerabilities do not correspond to the severity threshold:

- -
    -
  • Known problems: 2FA session issues
  • -
  • UI and UX bugs and spelling or localization mistakes.
  • -
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • -
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • -
  • Vulnerabilities in third-party applications
  • -
  • Publicly accessible login panels without proof of exploitation.
  • -
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • -
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • -
  • HTTP codes/pages or other HTTP non-codes/pages.
  • -
  • Fingerprinting/banner disclosure on common/public services.
  • -
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • -
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • -
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • -
  • Login & Logout CSRF
  • -
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • -
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • -
  • OPTIONS HTTP method enabled
  • -
  • Lack of Security Speed bump when leaving the site.
  • -
  • Weak Captcha
  • -
  • Broken links (including social media)
  • -
  • Content injection issues.
  • -
  • HTTPS Mixed Content Scripts
  • -
  • Content Spoofing without embedded links/html
  • -
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • -
  • Reflected File Download (RFD).
  • -
  • Best practices concerns.
  • -
  • Highly speculative reports about theoretical damage. Be concrete.
  • -
  • Missing HTTP security headers, specifically, For e.g.
  • -
  • Missing rate limit in forms, fields
  • -
  • Cookie reusing
  • -
- -
-
    -
  • Strict-Transport-Security
  • -
  • X-Frame-Options
  • -
  • X-XSS-Protection
  • -
  • Host Header
  • -
  • X-Content-Type-Options
  • -
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • -
  • Content-Security-Policy-Report-Only
  • -
-
- -
    -
  • Infrastructure vulnerabilities, including:
  • -
- -
-
    -
  • Certificates/TLS/SSL related issues
  • -
  • DNS issues (i.e. mx records, SPF records, DMARC records, etc.)
  • -
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • -
-
- -
    -
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • -
  • Vulnerabilities involving active content such as web browser add-ons
  • -
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • -
  • Issues that require physical access to a victim’s computer.
  • -
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • -
  • Recently disclosed 0day vulnerabilities.
  • -
  • Microsites with little to no user data
  • -
  • Most brute forcing issues
  • -
  • Denial of service
  • -
  • Spamming!
  • -
- -
-
-
- -
-
-
    -
  • Avoid compromising any personal data, interruption or degradation of any service .
  • -
  • Don’t access or modify other user data, localize all tests to your accounts.
  • -
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • -
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • -
  • Only the first valid bug is eligible for reward.
  • -
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • -
  • Don’t break any law and stay in the defined scope.
  • -
  • Comply with the rules of the program.
  • -
  • Don't spam forms/fields
  • -
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
  • -
- -
-
-
-
-
-
-
- -
- -
- - - - - - - - - - - - - - - - - diff --git a/spec/fixtures/hackenproof/scopes.json b/spec/fixtures/hackenproof/scopes.json new file mode 100644 index 0000000..f14907b --- /dev/null +++ b/spec/fixtures/hackenproof/scopes.json @@ -0,0 +1,64 @@ +{ + "audit_program": false, + "categories": [ + "Network", + "Protocol", + "Solidity" + ], + "company_name": "Polygon Technology", + "company_slug": "polygon-technology", + "company_url": "/api/v1/polygon-technology", + "deposit": true, + "disclosure_guidelines": "* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without written consent from the organization\r\n* No vulnerability disclosure, including partial is allowed for the moment.\r\n* Please do NOT publish/discuss bugs ", + "eligibility_and_coordinate_disclosure": "We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:\r\n\r\n* You must be the first reporter of a vulnerability.\r\n* The vulnerability must be a qualifying vulnerability\r\n* All reports should include a runnable Proof of Concept (PoC) in order to prove impact\r\n* Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com\r\n* You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.\r\n* Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program;\r\n* Payouts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production.\r\n* Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope.\r\n* For GitHub repositories please ensure you are reviewing the latest published releases\r\n* ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)", + "end_date": "05 Mar 2025", + "focus_area": "For GitHub repositories please ensure you are reviewing the latest published releases, and code is deployed in production", + "id": "652d3658fd18041e205e8a95", + "last_update": "06 Jul 2024", + "managed_by_company_name": "HackenProof", + "max_bounty": "1000000.0", + "min_bounty": "1000.0", + "private": false, + "program_description": "Polygon Labs develops Ethereum scaling solutions for Polygon protocols. Polygon Labs engages with other ecosystem developers to help make available scalable, affordable, secure and sustainable blockchain infrastructure for Web3. ", + "program_logo": "https://dashboard.hackenproof.com/uploads/bounty_program/logo/652d3658fd18041e205e8a95/logo.png?1720297372", + "program_name": "Polygon POS", + "program_of_the_week": false, + "program_rules": "## Rewards and Recognition\r\n\r\n### Severity Clasification\r\n\r\nPolygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.\r\n\r\n### Payouts and Payout Requirements\r\n* Payouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or MATIC at the Polygon Labs teams' discretion. Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.\r\n* This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions. If the individual is a US person, tax information may be required in order to properly issue a 1099.\r\n\r\n### KYC Requirements\r\n\r\n- Polygon Labs does have a Know Your Customer (KYC) requirement for bug bounty payouts.\r\n- KYC information is only required on confirmation of the validity of a bug report which Polygon Labs determines in its sole discretion.\r\n\r\n## Out of Scope - General\r\n\r\n- Attacks that the reporter has already exploited themselves, leading to damage\r\n- Attacks requiring access to leaked keys/credentials\r\n- Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\r\n- Broken link hijacking is out of scope\r\n- Loss of funds held by third parties\r\n- Attacks related to vulnerable, old or deprecated libraries, that are not exploitable\r\n\r\n## Out of Scope - Smart Contracts and Blockchain/DLT\r\n\r\n- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\r\n- Previously known vulnerabilities in Tendermint and or/any other fork of these.\r\n- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.\r\n- Basic economic governance attacks (e.g. 51% attack)\r\n- Lack of liquidity\r\n- Best practice critiques\r\n- Sybil attacks\r\n- Centralization risks\r\n\r\n## Prohibited Activities\r\n\r\nThe following activities are prohibited by this bug bounty program. Violation of these rules may result in zero payout.\r\n\r\n* Any testing with mainnet or public testnet deployed code; all testing should be done on private testnets\r\n* Attempting phishing or other social engineering attacks against our employees and/or customers\r\n* Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\r\n* Any denial of service attacks\r\n* Automated testing of services that generates significant amounts of traffic\r\n* Public disclosure of an unpatched vulnerability in an embargoed bounty\r\n* Avoid using web application scanners for automatic vulnerability searching which generates massive traffic \r\n* Make every effort not to damage or restrict the availability of products, services, or infrastructure \r\n* Avoid compromising any personal data, interruption, or degradation of any service \r\n* Don’t access or modify other user data, localize all tests to your accounts \r\n* Perform testing only within the scope \r\n* Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam \r\n* Don’t spam forms or account creation flows using automated scanners \r\n* In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity. \r\n* Don’t break any law and stay in the defined scope \r\n* Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission ", + "rewards": { + "max_critical": 1000000, + "max_high": 20000, + "max_low": 1000, + "max_medium": 5000, + "min_critical": 50000, + "min_high": 20000, + "min_low": 1000, + "min_medium": 5000 + }, + "scopes": [ + { + "out_of_scope": false, + "reward_type": "Bounty", + "severity": "Critical", + "target": "https://github.com/maticnetwork/heimdall/", + "target_description": "Polygon POS - Heimdall", + "type": "Other" + } + ], + "skills": [ + "blockchain", + "smart contract" + ], + "sla": { + "first_response": 3, + "resolution_time": 14, + "reward_time": 10, + "triage_time": 3 + }, + "slug": "polygon-pos", + "start_date": "29 Feb 2024", + "status": "published", + "submit_report_url": "https://dashboard.hackenproof.com/user/programs/polygon-pos/reports/new", + "submitted_reports": 26, + "total_rewards": 0, + "url": "/api/v1/programs/polygon-pos" +} \ No newline at end of file