Since 2015, Firebounty has been helping users discover vulnerability disclosure policies (VDPs). For policy discovery on steroids, we have partnered with ONYPHE, the ‘Internet SIEM’. Read on to find what this boost means for coordinated disclosure.
FireBounty exists since 2015 with the primary purpose of allowing security researchers to find disclosure policies of any kind, be it ‘Hall of Fame’ or Bug bounty programmes paying rewards. So far, FireBounty harbours thousands of Vulnerability Disclosure Policies (VDPs). Thus, Firebounty is already the world’s most complete VDP directory.
FireBounty also powers the browser plugin VDPFinder—a one-of-a-kind tool making VDP discovery as effortless as web browsing itself. Thanks to the witty combination of FireBounty’s up-to-date and exhaustive database and VDPFinder’s ease of use, everyone knows in a glimpse how to report a vulnerability and where doing so is rewarded through a Bug Bounty programme.
We have been ramping up FireBounty’s capabilities. In our quest to identify and index all VDPs out there, we have been testing a range of solutions. That is how we got to play with ONYPHE. A young, like-minded security-oriented endeavour, ONYPHE goes with the leitmotif ‘Your Internet SIEM’.
Sounds cool, eh? Read on–it gets better.
Security.txt <3 FireBounty: VDPs for anyone to use
A simple yet efficient draft standard, security.txt allows each organisation to create its VDP in a breeze. Doing so happens through a text file located in a defined, well-known path of its website. Imagined by EdOverflow and @nightwatchcyber, security.txt is becoming a de facto standard, adopted by large corporate websites and personal webpages alike.
Since FireBounty harbours VDPs web over, it is natural to add security.txt to it. Sure thing—but do we need to crawl, like, the whole web to achieve this? Besides, bot-spidering websites regularly can lead to a variety of misinterpretations and side effects we ought to avoid.
We first tried to discover criteria to guess whether a website is likely to expose security.txt. By using certificate transparency to discover and check websites, we tested different criteria (e.g. country, certificate authority). But the approach was quick yielding no meaningful correlation with any criterium, and a meagre bunch of security.txt scattered therein.
So there we were, facing the whole internet alone with our powerful yet insufficient crawlers. We logically turned to Shodan, and it worked in a specific manner, providing us with more than 1,500 security.txt. We can do better, however.
Enters ONYPHE, the ‘Internet SIEM’
ONYPHE is a young French company defining itself as “your Internet SIEM”. Its active scan of the whole internet—and not only the web–is coupled with other useful sources such as threat list, geolocation data, passive DNS, paste sites and even the darkweb. Thus, ONYPHE collects and indexes a tremendous amount of data.
Naturally, harbouring data is only part of the story. ONYPHE then offers the capacity to easily query these troves of information in a single search form or API. Doing so is how one effortlessly identifies the proverbial needle in the different information categories haystack (e.g. datascan, synscan, pastries, resolver, ctl, onionscan and many others).
And, last but not least, ONYPHE—just like YesWeHack—is founded by security enthusiasts with a deep understanding of the technical challenges practitioners face in their everyday work. Through its innovative approach, it aims to improve tools, so contributing to better cybersecurity for all.
Boosting FireBounty with ONYPHE
Amongst the cool things Onyphe can do is directing its sensors and tailoring its search to find data, located deep down in a protocol structure—or, like security.txt, in a specific, well-defined path. (Shhhhh, it’s thanks to that feature that ONYPHE regularly blogs about actual exposures to the latest top 0-days or internet spread of famous botnets.)
ONYPHE adapted its crawlers to extract security.txt and exposed it via its comprehensive API. We now have everything we need to continue identifying security.txt. Since 27 April, a new logo features on many policies listed at FireBounty. Indeed Firebounty daily indexes new security.txt retrieved by ONYPHE. And it now exceeds 3,200 policies ?
We are delighted to see that many VDPs are surfacing. The increasing number of organisations devising a clear path to coordinated vulnerability disclosure indicates that a growing number of people works towards better cybersecurity. Similarly, an ever-growing number of ethical hackers makes use of existing VDPs.
While that effort is commendable, it is vital to remind everyone that a VDP is quite often a passive listening mechanism. FireBounty and VDPFinder aim at showcasing the efforts to quell wild vulnerability disclosure. They are in no way an incentive to aggressively hunt or, worse, ask for a financial reward upfront promising to “disclose if you pay me” where no monetary reward is envisioned. We are ethical hackers.
Let’s keep on making the Internet safer—to infinity and beyond!