BugPoC looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
No technology is perfect and BugPoC believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our website. Good luck, and happy hunting!
BugPoC is a software platform that rethinks how bug reporting is currently done in the security industry. BugPoC is not a security scanner like Burp Suite or OWASP ZAP. BugPoC is not a channel to submit bugs like HackerOne or BugCrowd. BugPoC is not a ticket-tracking system like Bugzilla or Jira.
BugPoC is the missing piece of the puzzle for security bug reporting. It's the infrastructure that allows hackers to build live demos for their bugs. Once a demo has been created, it is published and password protected. Hackers and software developers can then include the demo link wherever they want - bug bounty portals, internal tracking systems, or even PDF deliverables.
Reproducing and fixing security issues has never been easier.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
|Technical severity||Reward range|
|p1 Critical||$2,100 - $4,000|
|p2 Severe||$1,000 - $2,000|
|p3 Moderate||$450 - $600|
|p4 Low||$150 - $200|
Testing is only authorized on the targets listed as in scope. Any domain/property of BugPoC not listed in the targets section is out of scope. This includes any/all subdomains not listed above. No Out of Scope submissions will be accepted for this program.
Please note that BugPoC is still a beta product. Not all features may be fully functional or stable.
The BugPoC threat model is pretty unique. Make sure you read the Out-of-Scope section closely before reporting any bugs. BugPoC lets security professionals quickly build PoCs that their clients can immediately reproduce. We do this by letting hackers render arbitrary front-end code on our domain, repeat raw HTTP requests from our server, and run arbitrary Python code using our machines.
Check out these tutorial videos for real-world examples of when to use BugPoC:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Special OOS Items
- Any Remote Code Execution (RCE) inside the BugPoC Python environment without security impact (it's a feature!)
- Any Server Side Request Forgery (SSRF) from the BugPoC HTTP Repeater without security impact (it's a feature!)
- Any Cross-Site Scripting (XSS) on the
*.web.bugpoc.ninjadomain without security impact (it's a feature!)
- Any Cross-Site Scripting (XSS) or Open Redirects on the
mock.bugpoc.ninjadomain via the BugPoC Mock Endpoint Builder without security impact (it's a feature!)
- Because its still a
- Any Information Disclosure from error messages or stack traces (verbose debug is intentionally enabled for now)
- The lack of rate limiting on any APIs
- The lack of brute force protection on PoC passwords (PoCs are password protected using an auto-generated password by picking random values from really long wordlists. We do not think that brute forcing this password is very feasible, however we still plan on introducing some rate-limiting at a later point in time as a backup measure.)
- The lack of captcha's or other spam-preventing mechanisms
- Sessions not being revoked upon sign-out or password change
- Email addresses not requiring verification
- The ability to change your own email address
Other OOS items
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- User Enumeration
Program Rules and Guidance
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
bugpoc.com - A trusted domain to access static web assets
api.bugpoc.com - A trusted domain to hit the APIs
mock.bugpoc.ninja - An untrusted domain that researchers can use to mock a server response via the Mock Endpoint Builder
web.bugpoc.ninja - An untrusted domain that researchers can use to render arbitrary front-end code via the Front-End PoC Generator
Public facing website
Both Tester and Organization credentials are now available for this program. (Self Sign-up @ bugpoc.com/join)
BugPoC can store, modify, and repeat raw HTTP requests for your PoCs. You can think of this feature as like an online version of Burp Suite’s Repeater. The BugPoC Burp Extension lets you send raw requests directly to the site without any fuss.
BugPoC can store and run arbitrary Python code for your PoCs. Additionally, several useful third-party libraries are pre-installed in the environment including requests and Beautiful Soup.
To make building PoCs even easier, BugPoC has a few dozen
PoC Wizards that can help you generate the exploit code. Each PoC Type (Front-End, HTTP, & Python) has 5-20 “PoC Wizards” to automate your PoC creation process. They accept various parameters and use them to generate exploit code for specific issues. For example, the CSRF Wizard (located under Front-End) will accept an HTTP request and use it to generate malicious HTML code that exploits a CSRF vulnerability. You can think of them as templates to make PoC creation less repetitive. We plan on adding more PoC Wizards all the time.
Example Attack Plan
Below are some notes by a fellow hacker about the BugPoC attack surface to help you get started.
The Front-End PoC Generator somehow takes untrusted front-end code from the
bugpoc.com domain and injects it into the
bugpoc.ninja domain. Then the
bugpoc.com domain calls the
main() function and receives the response. Cross-domain communication can be risky.
- How does this cross-domain communication occur? Back-end via some custom proxies? Front-end via CORS, Post-Message, etc?
bugpoc.comconfigure its CORS to trust
bugpoc.ninja? Can I put malicious code on
bugpoc.ninjathat abuses this trust?
bugpoc.comrely on PostMessage to send/receive cross-domain data? If so, how strict is the origin checking?
The HTTP PoC Generator parses raw HTTP requests and uses an HTTP client to resend them.
- Can I use this SSRF-by-design to query internal services?
- Which HTTP client library is used? Plenty of them have URI parsing issues. Does it have any relevant CVEs?
- This generator supports both HTTP/1 and HTTP/2. Does HTTP/2 open any attack surfaces that are normally ignored?
- What happens if I provide contradictory or duplicate headers?
The Python PoC Generator is an obvious target.
- Where is my code run? Docker? VM? Cloud? Is this container ever re-used?
- Does my Python environment have any bootstrapping code that I didn't write? Anything interesting in it?
- Does my Python environment have any cloud credentials in it? If so, how can I get them? Is this a big deal?
- Can my code interact with other running containers created by my BugPoC account? Can it interact with cross-customer containers?
- What does the filesystem look like? Can I exfiltrate sensitive files or maybe overwrite essential ones?
The ExploitDB Importer queries a third-party database and displays its content on the
bugpoc.com domain. Does this third-party enforce the same input validation as the rest of BugPoC?
- Can this vector be used to ingest otherwise disallowed characters?
- Potential XSS, SQLi, etc ingestion vector?
- Can this quicklink be abused for CSRF-style attacks?
- Can this quicklink be abused to inject characters into fields that the UX normally disallows? Is this a big deal?
All PoCs can be downloaded as Runnable Docker Images. Untrusted Docker code is tough.
- Can code from a Python PoC escape this container somehow?
- Can I create a Docker Image that gets flagged as malware when downloaded? Is this a big deal?
This is just an example Attack Plan written by one of our internal PenTesters. Feel free to poke other parts of the website not listed above. Get creative and have fun!
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.