claim HackerOne profile

[chadwhitacre]

We've gotten a spate of security reports recently, and I suspect it's from our listing on HackerOne:

https://hackerone.com/gratipay

We should claim our profile there.

[chadwhitacre]

Looking at https://hackerone.com/product, we may be able to replace our current http://inside.gratipay.com/howto/handle-security-issues with HackerOne.

[chadwhitacre]

And it's free.

Using HackerOne is Free

We've made our full-featured platform free to use. Access our global community of helpful hackers, manage vulnerability reports, coordinate with internal and external stakeholders, connect to your issue tracker, export your historical data, and more.

How Does HackerOne Make Money?

We only earn a fee after you've improved your security. Specifically, HackerOne takes a 20% fee when you reward a hacker for discovering a valid security hole that's not only worth fixing, but also rewarding. And our payment system makes it easy to pay a hacker anywhere in the world.

Why Don't We Charge for the Platform?

We founded HackerOne to make the Internet safer based on our experience building similar programs at Facebook, Microsoft and Google. Based on this mission, we chose to make HackerOne free for all companies, charging only when our service helps protect your company's end users.

[chadwhitacre]

Thoughts, @greggles @benhc123?

[chadwhitacre]

(et al.)

[chadwhitacre]

I signed up for an account, and am waiting for a verification email.

[greggles]

I use bugcrowd for a few bounties and have tested out hackerone as well. I think it's worthwhile to use a system like this and don't have a strong preference about which one to use.

[chadwhitacre]

Cool. I've submitted a claim for our HackerOne profile.

[kzisme]

👍

[chadwhitacre]

"a HackerOne representative will contact you"

[chadwhitacre]

http://stackshare.io/stackups/hackerone-vs-bugcrowd-vs-crowdcurity

[chadwhitacre]

Convo with a researcher on https://gratipay.freshdesk.com/helpdesk/tickets/2360:

P.S. Did you find us through HackerOne?

---

[...] yes i found you on Hackerone!

---

Cool. I guess we must have first appeared on HackerOne recently, because we've started receiving a lot more security reports than usual. :-) We're in the process of triaging and actually we're considering using HackerOne to manage our security program. Do you recommend it? Have you used Bugcrowd?

---

I have used Bugcrowd and Hckerone, and i strongly recommend you to use Hackerone! Its fun and amazing! Try now . Its my personal experience.

---

Thanks for the feedback. We're currently waiting for HackerOne to approve our team account before we can proceed further. I will keep you posted ...

[chadwhitacre]

https://gratipay.freshdesk.com/helpdesk/tickets/2305

Did you happen to discover us on HackerOne? We're considering moving our security program there. Do you recommend it? Have you used Bugcrowd?

[chadwhitacre]

https://gratipay.freshdesk.com/helpdesk/tickets/2294

Are you on HackerOne? We're thinking about moving our security program there. Did you by any chance discover us on HackerOne?

[chadwhitacre]

To: [email protected], [email protected]
Subject: claiming profile for Gratipay?

Greetings!

We recently discovered that we have an entry for Gratipay on HackerOne, and we'd like to claim it. The bug reports we've gotten are high-quality, and we're interested in potentially using the platform for our security program. I filled out the "Claim program" form on the site, but haven't heard from anyone yet.

What should we expect for next steps?

[chadwhitacre]

https://gratipay.freshdesk.com/helpdesk/tickets/2313

P.S. Did you happen to find us on HackerOne? We're thinking of using that for our security program. Do you recommend it? Have you used Bugcrowd?

[chadwhitacre]

From: HackerOne
https://gratipay.freshdesk.com/helpdesk/tickets/2425

Thanks for reaching out. Glad to hear that you’ve been receiving quality reports from security researchers already.

My name is [] and I’ll be helping you get your HackerOne profile up and running. How is your experience with the demo so far? It should give you a good feel of our platform and how it works. There’s a sample bug report in your inbox for you to play with.

Let’s jump on a quick call or teleconference if that works for you. I’d like to learn more about what you’re trying to accomplish and how we can help your efforts. How’s your availability this week?

To: HackerOne

Thanks, []! I see now that I have access to the Gratipay team on HackerOne. Thanks for that.

I'm not finding something labeled an "inbox." I see a "Notifications" popout in the upper right, which says I have "No notifications." I also find a "Dashboard" and a "Reports" screen, both of which are likewise empty.

A call would be fine. What timezone are you in? I'm in US/Eastern. How about Wednesday or Thursday at 1pm US/Eastern?

Thanks! :-)

[chadwhitacre]

To: HackerOne

I also couldn't figure out how to file a new bug report to play with. :-(

[chadwhitacre]

Had a call with HackerOne.

Sounds like the directory is just a week-and-a-half old. I've recommended that they make it opt-in, or at least opt-out—we never even got a notification from them.

We're now in the review queue to move our account to an "invite-only" stage, past which we can move to a fully public account.

The product itself looks great, in terms of the workflows for managing security issues. However, there's currently no way for any of us to file bugs in our own queue, because it's designed entirely with third-party researchers in mind. That would prevent us from migrating our existing queue over there, as well as filing new internally-sourced reports over there.

My impression is that things are hoppin' over at HackerOne right now. We'll see how fast they're able to address the reporting limitation and account review. Blocking on HackerOne getting back to me with the green light for the next phase of their onboarding ("invite-only").

[chadwhitacre]

P.S. He's also sending over info on their GitHub integration.

[chadwhitacre]

Thanks for the call, []. Action items:

• Community directory should be opt-in, or at least opt-out. We got no notification whatsoever from HackerOne, which isn't cool.
• We're ready to move to invite-only so we can start using the product.
• We're interested in migrating our existing security queue to HackerOne, but I don't see a way I can file issues against my own projects (only against other projects).
• I also don't see a way to add a researcher to an existing bug, which would be necessary in order to migrate our existing queue.
• Please send over info on HackerOne's GitHub integration.

BTW, here is our public ticket tracking this issue on our side:

#255

Thanks, looking forward to hearing from you!

[chadwhitacre]

Gratipay has completed the pre-launch checklist and next steps are now accessible from the Invite researchers page. If you have any questions, we're always available at [email protected].

[chadwhitacre]

We're public: https://hackerone.com/gratipay.

[chadwhitacre]

Next steps:

• Consolidate security issues at Hacker One. Some are in GitHub per our current policy, and some are in Freshdesk awaiting resolution of this issue. Invite researchers to the relevant tickets on Hacker One.
• Update our security policies published on Gratipay.com/about, Hacker One, and Inside Gratipay.
• Get back to HO sales/support.
• Update HoF for recently closed issues. Understand relationship between on-site and HO HoF.
• configure Gratipay security team membership and permissions on HackerOne

[chadwhitacre]

Finally circling back around to this, []. We decided to knock out the worst of the security bugs we got via Hacker One before proceeding with account setup. I've just taken our account public, and migrated our remaining open tickets over to Hacker One. I guess we're off and running. Thanks for all your help getting set up! :-)

[chadwhitacre]

I propose that we redirect https://gratipay.com/about/security/ to https://hackerone.com/gratipay. I guess we should keep https://gratipay.com/about/security/hall-of-fame alive for archival purposes, with a note at the top directing people to https://hackerone.com/gratipay/thanks.

[chadwhitacre]

From: HackerOne

Not a problem and glad everything worked out.

[chadwhitacre]

@greggles @benhc123 I've sent invites to join our new HackerOne team.

[chadwhitacre]

I've updated our profile at HackerOne to direct people to file reports on HackerOne, with email as a fall-back.

[chadwhitacre]

IG updated in 967f7ab.

[chadwhitacre]

PR for Gratipay.com ready to go in gratipay/gratipay.com#3636.

[chadwhitacre]

PRs for clearing out HoF backlog:

• ack security researcher AspenWeb/pando.py#476
• ack security researcher gratipay.com#3637

[chadwhitacre]

Bringing Aspen into scope: AspenWeb/pando.py#477.

cc: @pjz

[chadwhitacre]

Okay! I've made all the PRs I intend to make on this. Ready for some PR review. :)

cc: @greggles @benhc123 @pjz @rohitpaulk et al.

[pjz]

How do I get an account? I hit 'sign up' and it acted like I was an organization, not a user of an existing org.

[chadwhitacre]

Weird, dunno. Were you on this link?

https://hackerone.com/users/sign_up

[chadwhitacre]

When I click "Sign up" I see two options:

You want to be a hacker, @pjz. ;-)

[chadwhitacre]

The HackerOne reputation system makes it important who files a ticket. We should've had them do the initial import instead of me doing it manually. I'm working with HackerOne support to reset who the reporter is for the tickets we've got going so far (documented on HO76303), and I've tweaked our documentation in #296.

[chadwhitacre]

I believe once those reporters are fixed up we can close this ticket! :)

[chadwhitacre]

I've been bouncing back and forth on email trying to get the reporters fixed up (FD2669). They're trying to verify that my request was legitimate, but I think we're deadlocked by interactions in our respective support software. I'm going to try making a phone call later today to get that unblocked.

[chadwhitacre]

The person I spoke to on the phone earlier on was in sales and not support, so I just tried emailing again instead.

To: hackerone

Any update on this, []?

[chadwhitacre]

My excuses for not keeping you updated. I've updated the reporters of (76300, 76303, 78151, 78175, 78177, 76304, 76305, 76306, 76307). My initial plan was to also update the reputation records but this migration was a bit too complex. So we've to wait for the next reputation recalculation for the right +7s.

p.s. How is your h1 program going? Did you already got your first RCE vuln reported? :)

Thanks for you patience!

---

Cool, thanks []!

No RCEs yet. We had one pretty good CSRF bypass via CRLF injection, then mostly best practices. Now that the tickets are reassigned I can start merging duplicates and closing.

Thanks again! :-)