The proper way to apply for a bug bounty would be doing it privately first.
Likes:
1
Diamonds:
1
Reposts:
0
Quote Reposts:
2
sorry, i didn't know which post you commented on when i first commented back. so, like i said, if i did that (emailed bug bounty first and not done anything else), i'd probably still not have heard back. it was addressed after i posted about it and messaged in discord. in the interest of urgency, that seemed best.
i tried DMing admins in discord first, but none accepted my request, and i figured posting it in the daodao discord would not be desired. since it's not a bug with code, it really didn't need a review, either.
but i did submit it to bug bounty thursday night, because there are still things that could be done. i don't know about you, but security risks are the kind of thing i would expect a quick response on. i'm sure you agree, i don't know who wouldn't.
*i have a feeling the email isn't being checked by anyone on a regular basis*
i mean it's pretty clear that many things could have happened, and since it's not a code thing, it doesn't really have that whole need of being reviewed by any developers, it's just plain as day. here's one way to do it (see image), i mean, consider if i didn't say anything and just did a few edits here and there. sure, maybe someone would look through the version history on a whim, but - how likely is that? this is just a GET parameter so obviously it's not malicious, and maybe someone would notice that whatever link were placed there doesn't match the label exactly if they paused and didn't just click fast through it (i don't feel crazy saying that i doubt people are pausing before clicking through on these links in google docs though - *because there was a false sense of trust that i have exposed*), but this is just one small example of one type of thing that could have happened.
i mean just doing random edits over time, it maybe was even possible to simply delete a document- i know it showed that option available and i don't know what kind of recovery features google for sure has, but regardless it would still result in lost time and time is money after all. did i expect a bounty? no, not really, but that's based on what i've seen happen since being here. it's not indicative of the way i think things should be. if i had thought for sure a bounty were possible for this issue, would i have emailed first and waited? hell no, because it wouldn't make sense. this wasn't a code exploit that would be difficult for someone else to stumble upon and that needed for other people to give a peer review on first.
for sure i understand the bug bounty process very well because i've read that page many times and submitted more than once that the wording on the page needed improvement, let alone alerting that the previous email address on the page did not exist which led to the protonmail email address being created.
Likes:
1
Diamonds:
1
Reposts:
0
Quote Reposts:
0
{PostHashHex: "0d6639cef47eeea9e6b15eaf84ad90bc200869a8a0e9004c5ab66204ddef34ae",PosterPublicKeyBase58Check: "BC1YLgbCAxYSSn97DArZtbwwhVUtHtjUfGZzKojLBKfxP8wbRHvb2Gz",ParentStakeID: "",Body: "sorry, i didn't know which post you commented on when i first commented back. so, like i said, if i did that (emailed bug bounty first and not done anything else), i'd probably still not have heard back. it was addressed after i posted about it and messaged in discord. in the interest of urgency, that seemed best.\n\ni tried DMing admins in discord first, but none accepted my request, and i figured posting it in the daodao discord would not be desired. since it's not a bug with code, it really didn't need a review, either.\n\nbut i did submit it to bug bounty thursday night, because there are still things that could be done. i don't know about you, but security risks are the kind of thing i would expect a quick response on. i'm sure you agree, i don't know who wouldn't. \n\n*i have a feeling the email isn't being checked by anyone on a regular basis*\n\ni mean it's pretty clear that many things could have happened, and since it's not a code thing, it doesn't really have that whole need of being reviewed by any developers, it's just plain as day. here's one way to do it (see image), i mean, consider if i didn't say anything and just did a few edits here and there. sure, maybe someone would look through the version history on a whim, but - how likely is that? this is just a GET parameter so obviously it's not malicious, and maybe someone would notice that whatever link were placed there doesn't match the label exactly if they paused and didn't just click fast through it (i don't feel crazy saying that i doubt people are pausing before clicking through on these links in google docs though - *because there was a false sense of trust that i have exposed*), but this is just one small example of one type of thing that could have happened.\n\ni mean just doing random edits over time, it maybe was even possible to simply delete a document- i know it showed that option available and i don't know what kind of recovery features google for sure has, but regardless it would still result in lost time and time is money after all. did i expect a bounty? no, not really, but that's based on what i've seen happen since being here. it's not indicative of the way i think things should be. if i had thought for sure a bounty were possible for this issue, would i have emailed first and waited? hell no, because it wouldn't make sense. this wasn't a code exploit that would be difficult for someone else to stumble upon and that needed for other people to give a peer review on first. \n\nfor sure i understand the bug bounty process very well because i've read that page many times and submitted more than once that the wording on the page needed improvement, let alone alerting that the previous email address on the page did not exist which led to the protonmail email address being created. ",ImageURLs: ["https://images.deso.org/b5adcd4c1241c7545206ba5ca86c2c5bb1408702c3848d5643a59c42fe6df9e4.webp"],VideoURLs: null,RepostedPostEntryResponse: {PostHashHex: "9ebddcef32c7f02242d5ef430d5d40946c6f7c2ed723511a19b6e499539b41f8",PosterPublicKeyBase58Check: "BC1YLhpUoWYcWzyZepXwHM2w7mkzBZ33P8Q5B9CjZ14DT29uEJ6wrn7",ParentStakeID: "123d36bfa667c81d73a4b222021751a9a5943a723360eb173fa78e5968c29f48",Body: "The proper way to apply for a bug bounty would be doing it privately first.",ImageURLs: null,VideoURLs: null,RepostedPostEntryResponse: null,CreatorBasisPoints: 1000,StakeMultipleBasisPoints: 12500,TimestampNanos: 1651425676173514500,IsHidden: false,ConfirmationBlockHeight: 126009,InMempool: false,ProfileEntryResponse: {PublicKeyBase58Check: "BC1YLhpUoWYcWzyZepXwHM2w7mkzBZ33P8Q5B9CjZ14DT29uEJ6wrn7",Username: "FastFreddie",Description: "yeh? yeh.",IsHidden: false,IsReserved: false,IsVerified: false,Comments: null,Posts: null,CoinEntry: {CreatorBasisPoints: 690,DeSoLockedNanos: 15767510859,NumberOfHolders: 60,CoinsInCirculationNanos: 25075768550,CoinWatermarkNanos: 60367166788,BitCloutLockedNanos: 15767510859},DAOCoinEntry: {NumberOfHolders: 0,CoinsInCirculationNanos: "0x0",MintingDisabled: false,TransferRestrictionStatus: "unrestricted"},CoinPriceDeSoNanos: 1886384348,CoinPriceBitCloutNanos: 1886384348,UsersThatHODL: null,IsFeaturedTutorialWellKnownCreator: false,IsFeaturedTutorialUpAndComingCreator: false,ExtraData: {DAOPublicKeysPurchased: "BC1YLj3zNA7hRAqBVkvsTeqw7oi4H6ogKiAFL1VXhZy6pYeZcZ6TDRY"},DESOBalanceNanos: 125925795717,BestExchangeRateDESOPerDAOCoin: 0},Comments: null,LikeCount: 1,DiamondCount: 1,PostEntryReaderState: {LikedByReader: false,DiamondLevelBestowed: 0,RepostedByReader: false,RepostPostHashHex: ""},InGlobalFeed: false,InHotFeed: false,IsPinned: false,PostExtraData: {Language: "en",Node: "3"},CommentCount: 1,RepostCount: 0,QuoteRepostCount: 2,ParentPosts: null,IsNFT: false,NumNFTCopies: 0,NumNFTCopiesForSale: 0,NumNFTCopiesBurned: 0,HasUnlockable: false,NFTRoyaltyToCreatorBasisPoints: 0,NFTRoyaltyToCoinBasisPoints: 0,AdditionalDESORoyaltiesMap: {},AdditionalCoinRoyaltiesMap: {},DiamondsFromSender: 0,HotnessScore: 0,PostMultiplier: 0,RecloutCount: 0,QuoteRecloutCount: 2,RecloutedPostEntryResponse: null},CreatorBasisPoints: 1000,StakeMultipleBasisPoints: 12500,TimestampNanos: 1651434847506280200,IsHidden: false,ConfirmationBlockHeight: 126038,InMempool: false,ProfileEntryResponse: {Username: "kitty4d"},Comments: null,LikeCount: 1,DiamondCount: 1,PostEntryReaderState: null,InGlobalFeed: false,InHotFeed: false,IsPinned: false,PostExtraData: {Language: "en-US",Node: "11"},CommentCount: 0,RepostCount: 0,QuoteRepostCount: 0,ParentPosts: null,IsNFT: false,NumNFTCopies: 0,NumNFTCopiesForSale: 0,NumNFTCopiesBurned: 0,HasUnlockable: false,NFTRoyaltyToCreatorBasisPoints: 0,NFTRoyaltyToCoinBasisPoints: 0,AdditionalDESORoyaltiesMap: {},AdditionalCoinRoyaltiesMap: {},DiamondsFromSender: 0,HotnessScore: 0,PostMultiplier: 0,RecloutCount: 0,QuoteRecloutCount: 0,RecloutedPostEntryResponse: {PostHashHex: "9ebddcef32c7f02242d5ef430d5d40946c6f7c2ed723511a19b6e499539b41f8",PosterPublicKeyBase58Check: "BC1YLhpUoWYcWzyZepXwHM2w7mkzBZ33P8Q5B9CjZ14DT29uEJ6wrn7",ParentStakeID: "123d36bfa667c81d73a4b222021751a9a5943a723360eb173fa78e5968c29f48",Body: "The proper way to apply for a bug bounty would be doing it privately first.",ImageURLs: null,VideoURLs: null,RepostedPostEntryResponse: null,CreatorBasisPoints: 1000,StakeMultipleBasisPoints: 12500,TimestampNanos: 1651425676173514500,IsHidden: false,ConfirmationBlockHeight: 126009,InMempool: false,ProfileEntryResponse: {PublicKeyBase58Check: "BC1YLhpUoWYcWzyZepXwHM2w7mkzBZ33P8Q5B9CjZ14DT29uEJ6wrn7",Username: "FastFreddie",Description: "yeh? yeh.",IsHidden: false,IsReserved: false,IsVerified: false,Comments: null,Posts: null,CoinEntry: {CreatorBasisPoints: 690,DeSoLockedNanos: 15767510859,NumberOfHolders: 60,CoinsInCirculationNanos: 25075768550,CoinWatermarkNanos: 60367166788,BitCloutLockedNanos: 15767510859},DAOCoinEntry: {NumberOfHolders: 0,CoinsInCirculationNanos: "0x0",MintingDisabled: false,TransferRestrictionStatus: "unrestricted"},CoinPriceDeSoNanos: 1886384348,CoinPriceBitCloutNanos: 1886384348,UsersThatHODL: null,IsFeaturedTutorialWellKnownCreator: false,IsFeaturedTutorialUpAndComingCreator: false,ExtraData: {DAOPublicKeysPurchased: "BC1YLj3zNA7hRAqBVkvsTeqw7oi4H6ogKiAFL1VXhZy6pYeZcZ6TDRY"},DESOBalanceNanos: 125925795717,BestExchangeRateDESOPerDAOCoin: 0},Comments: null,LikeCount: 1,DiamondCount: 1,PostEntryReaderState: {LikedByReader: false,DiamondLevelBestowed: 0,RepostedByReader: false,RepostPostHashHex: ""},InGlobalFeed: false,InHotFeed: false,IsPinned: false,PostExtraData: {Language: "en",Node: "3"},CommentCount: 1,RepostCount: 0,QuoteRepostCount: 2,ParentPosts: null,IsNFT: false,NumNFTCopies: 0,NumNFTCopiesForSale: 0,NumNFTCopiesBurned: 0,HasUnlockable: false,NFTRoyaltyToCreatorBasisPoints: 0,NFTRoyaltyToCoinBasisPoints: 0,AdditionalDESORoyaltiesMap: {},AdditionalCoinRoyaltiesMap: {},DiamondsFromSender: 0,HotnessScore: 0,PostMultiplier: 0,RecloutCount: 0,QuoteRecloutCount: 2,RecloutedPostEntryResponse: null}}
