Attacker can send email to any Bugcrowd Researcher and flood bugcrowd's mail server.

Disclosed by
Arjun_Bahera
  • Engagement Bugcrowd
  • Disclosed date about 6 years ago
  • Points 5
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by Bugcrowd

As @bugcrowdninja.com is a forward to the researchers inbox the researcher outlined that they could send multiple e-mails to be forwarded to the researcher. As this use case is often needed for testing scenarios, this is flagged as wontfix and researchers are encouraged to use non-personal inboxes for their Bugcrowd account and associated testing activity.

Summary by Arjun_Bahera

Anyone can send mails to researchers' or client's personal mailing address and this was accepted as business acceptable risk by Bugcrowd.

Activity