Someone recently sent a XSS smoke test alert - thank you!
You may have seen a message like this yesterday on SteemitX.com. My excitement to release new features to you guys resulted in a cross-site scripting bug being missed. Posts in Steemit that had embedded scripts were being passed and ran on SteemitX. This has now been corrected using input filtering on comment text.
Bug Bounty Program
My professional career has revolved around the IT and Systems Administration side of technology. My interests have also led me to learn more about technologies and languages for building websites and web apps, but I am still learning (it's a never-ending process).
That's where you come in!
If you are a professional in the web app industry, I want to learn from you! Education isn't free though, so I want to pay a portion of profits from future additions and tools to whoever is willing to test them.
Payouts
- Depending on the severity and effort of the bug I will offer 1-10% of profit from that release
- Only the top comment will get the payout (best bug description and recommended solution)
- If multiple bugs are discovered, the 1-10% payout will be split among them all
Bugs that are included:
- Website breaking bugs (like the XSS smoke-test alert)
- Client-side attacks against users using SteemitX.com
- Other critical bugs that would be detrimental to users or SteemitX.com
Bugs that may not be included but may receive a payout if useful:
- Not adhering to best practices - (I'm a bit rusty, so I am sure this is an issue)
- Links to guides for better/optimal code implementations than what SteemitX.com currently uses
- Other bugs that would have a minimal impact or are more annoying than anything else
This list is subject to change and is based off of my own subjective determination.
The XSS Example
This definitely was a critical bug in my book, but it was a rather trivially simple bug to test for so I am offering $100 SD to the person who sent the XSS alert notification. Please post a link to your post/comment that sent the alert and I will send you $100 SD (may be a couple days, have to transfer more funds in as I have Powered Up all my Steem so far).
NOTE: Steemitx.com does not store any user information other than Google Analytics and does no authentication to help prevent any negative actions against users. Future implementations will begin caching your filter list and settings. The goal of SteemitX is to provide a tool for the community that does not jeopardize user security, safety or privacy.
Try this tool to randomly hack at your code
https://en.wikipedia.org/wiki/American_fuzzy_lop_(fuzzer)
im not a security expert but hoping i can get an upvote
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Very cool. Thanks for sharing!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hey, nice initiative with the bug bounties and I appreciate most of all the final NOTE. I have been using Steemitx.com daily since you launched it, proposed new features and it has become essential in my daily Steemit life.
You confirming the security of the app is once again very encouraging and exactly the type of character Steemit needs to build it's value.
Thank you!!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
My pleasure! This is a user-first focused platform ;)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I just got a bug in Steemit :) would there be bounties for that as well?
https://steemit.com/bug/@anduweb/steemit-bug-clicking-edit-to-modify-a-long-post-now-logs-me-out-every-time-i-go-to-the-post-page
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I am not affiliated with Steemit, but I upvoted it for visibility =)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks!!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit