BugsCollector.com all security bugs in one place

image 2 years I have tried to please Habr articles (mostly personal) in the field of information security, for the most part in the web. Share knowledge, gain experience and feedback, meet interesting people.


Not considerably, made the largest contribution to hub "Information security" of all time. During this time I learned a lot, absolutely not to compare my level of knowledge then and now.

And, working in this field, I have experienced a few problems, solutions to which I could not find anywhere else. I've met other people who have faced the same. But the decision was! And, then, I decided to solve in the first place, your problem, and know that I am sure will help many. Thus was born the resource with speaking for himself the address bugscollector.com.

Problem #1. Mass, personal notification about vulnerabilities


Remember the article that was the second rating in the history...? obtained the source code 3300 the global Internet project. Or when I was trying to inform administrators from various government, military, payment systems, banks may, about a dangerous data leak? Well, or fresh — found XSS over 6,000 websites from the alexa top 5000. How to notify all at once? When half of the sites no email for contacts, some ignore, and some more threatening.

It would be nice to have a resource where it would be possible to send information about any vulnerabilities found on all websites and notify in private mode? There are CERT, seclists, but it's not that. They will not consider XSS, they do not have the contacts of all these sites, no help. So, you need a resource where will be registered all interested site owners, where they can be notified in the case of such (privately). BugsCollector — not existing, it's completely new and different.

Problem #2. Personal history of found vulnerabilities


Here I understand some of those who like to constantly look somewhere hole :) it would be Nice to have just for himself, only what you found, right? I just wondered where would be to conduct such personal statistics as found bugs, but also to see what others find.

Problem #3. Ignore vendor-specific


Very often is something serious about trying to inform the vendor / administrator — and it is stupid to ignore. Attraction of the audience usually helps.

Problem #4. Personal interest


I wonder what the vulnerability was found for all time on Google, Facebook, Yahoo, Yandex and other websites? Something in the format of the wiki, you come to the page resource — and there are all bugs. Not scattered across personal blogs and tweets, but all together. By the way, sometimes it helps to figure out where you can dig, if you decide to participate in BugBounty (e.g. to learn about the resources that are in scope, but not explicitly specified).

Problem #5. Summary


When job search pentester — you can throw a link to your profile where are displayed all the found bugs. I think that's cool :)

Implementation of


I'm not a professional in the field of web development and not a designer, but his idea was implemented. Option beta (if not alpha), with the initial functionality is already available — bugscollector.com (posted on microinsurance Amazon), you can go, view bugs, comment on, vote, log in via Twitter to add their bugs/websites. Although, you and others, there is a checkbox — but you must link to the original researcher (if in the future he will sign up for online — we "bind" the bug to him).

Already the feedback received from the various security guys, almost everything they say — shoot :) Now comes the period of active development, but already need:
the

    Hackers resercher, script-kiddie. Add your own bugs (not necessarily in the popular resource); the

  • owners of the sites. Add your sites and get notified about the added vulnerabilities on your website;
  • the
  • By passing. To leave feedback, suggestions, comments and ideas;
  • the
  • Experts in English. My lyrics leave much to be desired.

My personal TODO list to draft is still huge. Planned delayed public disclosure, if the administrator is registered on the resource, add music tracks, listened to a hacker finding the vulnerability. Authorization through Facebook/gmail, etc. resources, and more. And the site is already available the found vulnerabilities to the Google, Facebook, Yandex and others.

Slightly later report added abrasheva (and not only) bugs, development process and other detail.

PS I Tried to configure the server for gebrettert. Chased through the ab and it is not only comparable to Hebron loads — must survive.

the
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

Car navigation in detail

Google has launched an online training course advanced search

PostgreSQL: Analytics for DBA