Due to the increasing size of my ecosystem, I am offering a Bug Bounty to valid submissions provided that the following procedures are followed:

All legal liability for intrusion attempts are waived if this policy is followed to the letter; others will be handled on a case by case basis. Want to try something not in scope here of interest? Shoot me a message via the contact process listed below and I may offer a one-off approval.  Want to test something that requires customer access? Well I would hope you’d consider hosting with me (especially since I allow C2 and Phishing instances provided you can document authorization for red teaming when requested), but on a case by case basis I may grant a VM or two if you have a reason to believe something is readily exploitable. It’s OpenNebula running on CentOS. Go wild finding something on your own lab box, and let me know if you want to test a prod instance.

Goals

(in decreasing order of value)

1. Hypervisor Shell Access / Customer VLAN Hopping
2. DNS Updates
3. Unauthorized access to the Firewalls or BGP Routers
4. Injection into a F/OSS mirror system repository
5. Control of an Extended Validation Certificate
6. Control of a non-EV certificate for anything under *.hackingand.coffee that hasn’t been delegated
7. Defacement / XSS / similar on a web page

Scope

• *.hackingand.coffee
  • Please note, there are some subdomains out of scope listed below
• *.white.hackmy.network
• *.orange.hackmy.network
• *.portal.hackmy.network

Out of Scope

• All Denial of Service (DoS) Attacks
• CSRF logout, unless a practical attack can be formed with it and demonstrated
• Scanner Output submissions, unless you’ve got a working exploit with it that achieves one of the above goals
• *.stg.hackingand.coffee (known test areas where things may be vulnerable, or may be hosting CTF challenge backends)
• Any service that appears to be running out of AWS (yes, there are some even though I am a hosting provider; I don’t put all of my eggs in one basket). AWS would be very upset since they require authorization for testing
• Social Engineering a customer or vendor; they may or may not have their own responsible disclosure, and if so follow their policies
• Physical attacks on our datacenter locations; on top of you likely getting shot (I am in Texas after all), you’re going to likely trigger a lot of countermeasures that will cause a lot of problems for you and everyone else involved
• Personal Systems / accounts (employees, customers, and vendors). Yes, it’s understandable real attackers can pivot, but in reality A) I don’t share creds with the secure environment, and B) you’re just going to cause disruptions to my Anime streams and I’ll be furrrrrrrrrryyyyious and stare at you making angry puns

Reporting Guidelines

• All reports must include a description, steps to reproduce, and any relevant details such as browsers and versions affected.
• Reports can be submitted via the following methods:
  • My secure document portal
  • Email with my PGP key to: hon1nbo+bounty@ this domain
  • KeyBase Chat (least reliable contact method, but it works… just going to likely be a slow response)

Bounties

Whilst I can’t offer the large cash that the likes of the big G can, I can offer the following:

• Kudos
• Beer if you’re in my area
• VPS hosting / colocation
• free gear for a home lab (I cycle stuff out a lot)

Anyway, I know most will probably spend their time looking elsewhere for bug hunting, but it’s good practice to have a responsible disclosure policy in case someone does want to play (or, find something incidentally).

Happy Hunting (here or elsewhere)!

~H