Due to the increasing size of my ecosystem, I am offering a Bug Bounty to valid submissions provided that the following procedures are followed:
All legal liability for intrusion attempts are waived if this policy is followed to the letter; others will be handled on a case by case basis. Want to try something not in scope here of interest? Shoot me a message via the contact process listed below and I may offer a one-off approval. Want to test something that requires customer access? Well I would hope you’d consider hosting with me (especially since I allow C2 and Phishing instances provided you can document authorization for red teaming when requested), but on a case by case basis I may grant a VM or two if you have a reason to believe something is readily exploitable. It’s OpenNebula running on CentOS. Go wild finding something on your own lab box, and let me know if you want to test a prod instance.
(in decreasing order of value)
- Hypervisor Shell Access / Customer VLAN Hopping
- DNS Updates
- Unauthorized access to the Firewalls or BGP Routers
- Injection into a F/OSS mirror system repository
- Control of an Extended Validation Certificate
- Control of a non-EV certificate for anything under *.hackingand.coffee that hasn’t been delegated
- Defacement / XSS / similar on a web page
- Please note, there are some subdomains out of scope listed below
Out of Scope
- All Denial of Service (DoS) Attacks
- CSRF logout, unless a practical attack can be formed with it and demonstrated
- Scanner Output submissions, unless you’ve got a working exploit with it that achieves one of the above goals
- *.stg.hackingand.coffee (known test areas where things may be vulnerable, or may be hosting CTF challenge backends)
- Any service that appears to be running out of AWS (yes, there are some even though I am a hosting provider; I don’t put all of my eggs in one basket). AWS would be very upset since they require authorization for testing
- Social Engineering a customer or vendor; they may or may not have their own responsible disclosure, and if so follow their policies
- Physical attacks on our datacenter locations; on top of you likely getting shot (I am in Texas after all), you’re going to likely trigger a lot of countermeasures that will cause a lot of problems for you and everyone else involved
- Personal Systems / accounts (employees, customers, and vendors). Yes, it’s understandable real attackers can pivot, but in reality A) I don’t share creds with the secure environment, and B) you’re just going to cause disruptions to my Anime streams and I’ll be furrrrrrrrrryyyyious and stare at you making angry puns
- All reports must include a description, steps to reproduce, and any relevant details such as browsers and versions affected.
- Reports can be submitted via the following methods:
- My secure document portal
- Email with my PGP key to: [email protected] this domain
- KeyBase Chat (least reliable contact method, but it works… just going to likely be a slow response)
Whilst I can’t offer the large cash that the likes of the big G can, I can offer the following:
- Beer if you’re in my area
- VPS hosting / colocation
- free gear for a home lab (I cycle stuff out a lot)
Anyway, I know most will probably spend their time looking elsewhere for bug hunting, but it’s good practice to have a responsible disclosure policy in case someone does want to play (or, find something incidentally).
Happy Hunting (here or elsewhere)!