Conversation

Very unhelpful to get daily emails at security@grapheneos.org from people seeking bug bounties reporting we have a directory listing at apps.grapheneos.org, lack a captcha for attestation.app + discuss.grapheneos.org registration and have fairly high rate limits.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

7:12 AM · Jul 4, 2022Twitter Web App

Replying to

Several people have reported AOSP security issues to us via our issue tracker which we reported on their behalf to AOSP and fixed early when it was feasible. We've never gotten a valid security report via the security@ email addresses on our domains only this kind of bounty spam.

Replying to

How about publishing a #securitytxt file as per #RFC9116 to point to a Policy that informs researchers of the scope of your program? E.g. datatracker.ietf.org/doc/html/rfc91 As an example LinkedIn has their policy specify what qualifies vs does NOT qualify, see

hackerone.com

LinkedIn - Bug Bounty Program | HackerOne

The LinkedIn Bug Bounty Program enlists the help of the hacker community at HackerOne to make LinkedIn more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find...

Replying to

Reporting a directory listing for a package repository as a vulnerability is clearly not valid. Reporting lack of a captcha for a registration / login form is also clearly not valid. Captchas make websites less accessible and are a privacy/security issue when it's third party.

Show replies

Replying to

Beg bounties?

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago, I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance...