re: this. tl;dr so far
- twitters BBP being twitters BBP, the usual
- i reported a bug almost 2 years ago
- someone else found it and made it public
- i commented that i found that 2 years ago and leaked a few other details (no actual vulns though)
- they did Not like that and i was promptly banned from their bbp lol
this ones a banger.
so if you check the numbers on my original post you might notice that the report that i leaked is not the same report i was banned on.
the report i was banned on was an unrelated report that i reported a few days before the other person found my vuln, just a funny coincidence. i probably was just banned for the latest report because they couldn't be assed to find the right one.
anyways THEY BOUNTIED ME $560 FOR THE REPORT I WAS BANNED FOR LMFAO
the bounty congratulations mail right next to the ban mail may be one of the funniest juxtapositions i have ever seen
and thats not even everything that happened in the last couple of days. after i got banned, i asked them why they banned me on the report. instead of responding to me, they just immediately contacted hackerone's mediation service for some reason?
the mediation team then told me this:
Our guidelines, as well as those of the program, require mutual agreement before disclosing any details from reports, even if similar information has been made public by others or obfuscation attempts have been made. Unilaterally sharing content from your report on a public platform, without such an agreement, is a breach of these policies.
which sounds reasonable, but, well, its not true?
Uncoordinated Vulnerability Disclosure - Public Programs: Disclosing vulnerability information without a clear, good faith effort to follow industry standard coordinated vulnerability disclosure practices is not acceptable. Do not disclose vulnerability information without exhausting all good faith efforts to coordinate with the organization and/or program over a reasonable period of time. Confidential information or data belonging to the program or their users should never be published without coordinating with the organization or program.
like, it clearly says that leaking vuln information is against the rules. i did not leak shit, i just repeated what someone else found lmao
and you might think that they could say that i disclosed new information, but nope, the support person has already agreed that my "recent disclosure doesn't seem to introduce new information", so not only are all of the above points funny, but if they agree with me i might even get my ban reverted lol
but it gets better!
thing is, i wrote to them that disclosing it wasn't possible because the twitter guys just don't fix the goddamn vulns i reported. so i can't request to do a mutually agreed disclosure, because the report is still open, and that twitters behavior (effectively silencing me to talk about the absolute state of the program) is unacceptable.
they responded to that that they're looking into twitters delays (and agreed that i didnt disclose shit), but told me to use the h1 mediation in cases like this. i then pointed out that that won't work either, because politely asking them to fix their shit doesnt do shit (source: tried that a few times before giving up lol), and that even their mediation service cant force their engineers to fix their shit.
and for the shits and giggles i thought id look through my reports folder, and yes, there was another one that has been open for 6+ months and not fixed, so i requested mediation there too to show them that that is also like talking to a wall.
ironically while going through my reports i found another vuln that was closed and marked as informative because they had an "internal investigation" and were ""already addressing the issue"" 14 months ago, and well, it still works as of today. i wrote a friendly comment asking them if the investigation might have investigated something else, and who knows, maybe this will be the 2nd bounty i get after getting banned from the BBP lol
another interesting question i asked is what i should do with the few vulns that i havent written a report for yet (because i genuinely still have a couple bird app oopsies on my hard drive) if they don't revert the ban and whether i should just make them public lol
also, remember the "source: tried that a few times before giving up lol" i mentioned? that was another issue that was fun. that was the one where i reported it, and they made up a rule putting it out of scope (and adding it to the program policy after i reported it lmao), where they also refuse to disclose it (even though they dont pay) and they have not fixed it till this day even though i repeatedly asked them to fix it even if it's informative, because it actually is a vulnerability that can be exploited to easily scam idiots on the bird app, and because i still have some remains of a moral compass id actually prefer if they fixed that shit, but no lol. anyways i may or may not have asked in the mediation conversation if doing that is even a thing they can do without consequences, and with a bit of luck this might become the third bounty they have to pay me after i got banned lmao
it is hilarious how bad this bug bounty program is. it is S tier entertainment. i almost feel bad for the twitter security employees. almost.