BugPoC

  • $150 – $4,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

1 vulnerability rewarded

Validation within about 9 hours
75% of submissions are accepted or rejected within about 9 hours

$150 average payout (last 3 months)

Latest hall of famers

Recently joined this program

BugPoC looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

No technology is perfect and BugPoC believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our website. Good luck, and happy hunting!

About BugPoC

BugPoC is a software platform that rethinks how bug reporting is currently done in the security industry. BugPoC is not a security scanner like Burp Suite or OWASP ZAP. BugPoC is not a channel to submit bugs like HackerOne or BugCrowd. BugPoC is not a ticket-tracking system like Bugzilla or Jira.

BugPoC is the missing piece of the puzzle for security bug reporting. It's the infrastructure that allows hackers to build live demos for their bugs. Once a demo has been created, it is published and password protected. Hackers and software developers can then include the demo link wherever they want - bug bounty portals, internal tracking systems, or even PDF deliverables.

Reproducing and fixing security issues has never been easier.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,100 - $4,000
p2 Severe $1,000 - $2,000
p3 Moderate $450 - $600
p4 Low $150 - $200
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
*.bugpoc.com Website Testing
  • Website Testing
api.bugpoc.com API Testing
  • API Testing
*.bugpoc.ninja Website Testing
  • Website Testing

Testing is only authorized on the targets listed as in scope. Any domain/property of BugPoC not listed in the targets section is out of scope. This includes any/all subdomains not listed above. No Out of Scope submissions will be accepted for this program.

Please note that BugPoC is still a beta product. Not all features may be fully functional or stable.

Important Note

The BugPoC threat model is pretty unique. Make sure you read the Out-of-Scope section closely before reporting any bugs. BugPoC lets security professionals quickly build PoCs that their clients can immediately reproduce. We do this by letting hackers render arbitrary front-end code on our domain, repeat raw HTTP requests from our server, and run arbitrary Python code using our machines.

Check out these tutorial videos for real-world examples of when to use BugPoC:

  1. Insecure Direct Object Reference (IDOR)
  2. Post-Based Reflected Cross-Site Scripting (XSS)

Out-of-Scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Special OOS Items

  • Any Remote Code Execution (RCE) inside the BugPoC Python environment without security impact (it's a feature!)
  • Any Server Side Request Forgery (SSRF) from the BugPoC HTTP Repeater without security impact (it's a feature!)
  • Any Cross-Site Scripting (XSS) on the *.web.bugpoc.ninja domain without security impact (it's a feature!)
  • Any Cross-Site Scripting (XSS) or Open Redirects on the mock.bugpoc.ninja domain via the BugPoC Mock Endpoint Builder without security impact (it's a feature!)
  • Because its still a Beta product:
    • Any Information Disclosure from error messages or stack traces (verbose debug is intentionally enabled for now)
    • The lack of rate limiting on any APIs
    • The lack of brute force protection on PoC passwords (PoCs are password protected using an auto-generated password by picking random values from really long wordlists. We do not think that brute forcing this password is very feasible, however we still plan on introducing some rate-limiting at a later point in time as a backup measure.)
    • The lack of captcha's or other spam-preventing mechanisms
    • Sessions not being revoked upon sign-out or password change
    • Email addresses not requiring verification
    • The ability to change your own email address

Other OOS items

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • User Enumeration

Program Rules and Guidance

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Target Information

bugpoc.com - A trusted domain to access static web assets

api.bugpoc.com - A trusted domain to hit the APIs

mock.bugpoc.ninja - An untrusted domain that researchers can use to mock a server response via the Mock Endpoint Builder

web.bugpoc.ninja - An untrusted domain that researchers can use to render arbitrary front-end code via the Front-End PoC Generator

Access

Public facing website

Credentials

Both Tester and Organization credentials are now available for this program. (Self Sign-up @ bugpoc.com/join)



Website Overview

BugPoC supports three main PoC types - Front-End, HTTP, and Python.

  1. Front-End

    BugPoC can host and render arbitrary HTML and JavaScript for your PoCs. Additionally, you can specify the subdomain and path of where you would like your PoC to be rendered. All front-end code will be rendered at *.web.bugpoc.ninja/*.

  2. HTTP

    BugPoC can store, modify, and repeat raw HTTP requests for your PoCs. You can think of this feature as like an online version of Burp Suite’s Repeater. The BugPoC Burp Extension lets you send raw requests directly to the site without any fuss.

  3. Python

    BugPoC can store and run arbitrary Python code for your PoCs. Additionally, several useful third-party libraries are pre-installed in the environment including requests and Beautiful Soup.

To make building PoCs even easier, BugPoC has a few dozen PoC Wizards that can help you generate the exploit code. Each PoC Type (Front-End, HTTP, & Python) has 5-20 “PoC Wizards” to automate your PoC creation process. They accept various parameters and use them to generate exploit code for specific issues. For example, the CSRF Wizard (located under Front-End) will accept an HTTP request and use it to generate malicious HTML code that exploits a CSRF vulnerability. You can think of them as templates to make PoC creation less repetitive. We plan on adding more PoC Wizards all the time.


Example Attack Plan

Below are some notes by a fellow hacker about the BugPoC attack surface to help you get started.

The Front-End PoC Generator somehow takes untrusted front-end code from the bugpoc.com domain and injects it into the bugpoc.ninja domain. Then the bugpoc.com domain calls the main() function and receives the response. Cross-domain communication can be risky.
Initial thoughts:

  • How does this cross-domain communication occur? Back-end via some custom proxies? Front-end via CORS, Post-Message, etc?
  • Does bugpoc.com configure its CORS to trust bugpoc.ninja? Can I put malicious code on bugpoc.ninja that abuses this trust?
  • Does bugpoc.com rely on PostMessage to send/receive cross-domain data? If so, how strict is the origin checking?

The HTTP PoC Generator parses raw HTTP requests and uses an HTTP client to resend them.
Initial thoughts:

  • Can I use this SSRF-by-design to query internal services?
  • Which HTTP client library is used? Plenty of them have URI parsing issues. Does it have any relevant CVEs?
  • This generator supports both HTTP/1 and HTTP/2. Does HTTP/2 open any attack surfaces that are normally ignored?
  • What happens if I provide contradictory or duplicate headers?

The Python PoC Generator is an obvious target.
Initial thoughts:

  • Where is my code run? Docker? VM? Cloud? Is this container ever re-used?
  • Does my Python environment have any bootstrapping code that I didn't write? Anything interesting in it?
  • Does my Python environment have any cloud credentials in it? If so, how can I get them? Is this a big deal?
  • Can my code interact with other running containers created by my BugPoC account? Can it interact with cross-customer containers?
  • What does the filesystem look like? Can I exfiltrate sensitive files or maybe overwrite essential ones?

The ExploitDB Importer queries a third-party database and displays its content on the bugpoc.com domain. Does this third-party enforce the same input validation as the rest of BugPoC?
Initial thoughts:

  • Can this vector be used to ingest otherwise disallowed characters?
  • Potential XSS, SQLi, etc ingestion vector?

The Burp Suite Extension's source code can be found here. It apparently uses undocumented BugPoC Quicklinks to auto-fill the HTTP PoC generator.
Initial thoughts:

  • Can this quicklink be abused for CSRF-style attacks?
  • Can this quicklink be abused to inject characters into fields that the UX normally disallows? Is this a big deal?

All PoCs can be downloaded as Runnable Docker Images. Untrusted Docker code is tough.
Initial thoughts:

  • Can code from a Python PoC escape this container somehow?
  • Can I create a Docker Image that gets flagged as malware when downloaded? Is this a big deal?

This is just an example Attack Plan written by one of our internal PenTesters. Feel free to poke other parts of the website not listed above. Get creative and have fun!


Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.