David KrauseI've been frustrated with #bugbounty programs for a while now. They aren't setup up at all to receive any reports that aren't traditional webapp vulnerabilities. Things like infrastructure vulnerabilities, malware, C2 comms, phishing don't fit into their box. They don't have CWEs for them and are usually on out-of-scope infrastructure. But many organizations think that they don't need any other way to contact their #infosec team besides the bug bounty program for example security.txt.
I reported some #OWASSRF #ProxyNotShell via #HackerOne because I wanted to alert those companies that they hadn’t patched their Exchange Server, not because I necessarily wanted a bounty. But these programs require that you obtain RCE proof otherwise they are closed out. I’m not going to do that because Exchange Server is typically not in scope which would be illegal to do. I also don’t want to step on any webshells that may have already been deployed by other attackers.