If you discover a problem or a vulnerability in our systems, we would appreciate it if you share this information with us (as soon as possible). Security errors will be rewarded with a sum of bitcoins or a mention on the " wall of fame ". The height of the reward depends on the impact of the error but can be up to a maximum of 5 BTC. You can count on a reward if you're the first one who alerts a security issue and if this results in a change in the code or configuration. Some examples of security errors include:
Some security errors are not eligible for a reward because they have a low impact on security. The following type of security errors are some examples. Please don't mention such flaws unless a combination of errors can lead to a security issue with a greater impact.
In addition, we apply the following rules:
Security Issues can be emailed to: security@bl3p.eu. Encrypt your message with the PGP key below(0xB745A874). Please clearly describe the problem that you found and the steps to take to reproduce it. Add attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We need some time to study and assess the report. After a maximum of three working days you will receive a first substantive response.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFMPAtABCAC/s4AADhiD8czlo9X8WgJTfOzqxCK4BZCiIT1kqQ2z0lL48KNJ e+d1+GJGhVatbGDmwNpMtqmLtOL6yFRbEnEaYub4ZpRrUlCyjNFLIAAHvI/vvg8J RMfFyW1G/9z5bC3ZgoR4kVx2685h7ZCpbmowWgbPA7VeznSCB+OrI8o3TDYpqNY6 GyGMVEHysQYfHA5ezfeeS5k/zlNChj2/Gb2Irzqr9cr7ODtHurY983IcDI2zQID4 2ZYDLhxFAj3dyTWazE+qvYtoQQMiKtNtkpAEjOfPGG6PH5s6KuhpDWY91aoIUeRJ bnk2bewf+FN92fLtMIqVcVbVB0+rJDNEj1SXABEBAAG0Jk5pZWxzIHZhbiBHcm9u aW5nZW4gPG5pZWxzQGJpdG9uaWMubmw+iQE+BBMBAgAoBQJTDwLQAhsjBQkJZgGA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD7PFeot0WodFlmB/9tDt72x7Az Ii8iXF6b5d6rc8NmMwR8QEYdHnI9s9MiK8/V4ZwAlHjCYGv0IXY1oChVR3fVw4EL Ptazi0a6hyN5roABPDlqjM1evrpLalRG+4yHY8Zj0LrIp0btiAZo3BD0Vf0Pew37 xNqybZ4mgJdoQYOo/77LK2vMbLhqmAwXk4EFwF+qsg6d+6svnb+HIyn0YXhDXpzx jTtZgYFwXQHnsaDi3Z+8qbZwYa5KusKBDG4/r8Yu1sYbaDwQhgBzg90GSkdsqKHx YoHODeDT/vvpawBhJ4RQAA72SHqzB7u7arjy2lJh9krdaqM8OKMEhFntlce7Au5O 5mLX1P4keQBcuQENBFMPAtABCACsuH3BKHSrSgGAgLVw28anp3iabU5NymNkR8F6 8hSXWm5iEwUdxSxIyJo/QOLUtKM5UH7d35QHhw9Kbn2XK/jAAgwqRJMF+QTIgc1n CRmLrCeYohT1WjZNElgkc/Bj9R8OLD7T4O1P04wZEQjQiDKeg2Dvwj4YmEYik9o/ Rd2PNSR7ysm/e8jfcQLn1OYy+d8otdaCenvmi/upKnmm+PjBm1gM/JG614Jd3jio WJTnNAWZXGziAGqfFTSpJfNm0YKbUfaP+UvU0prs+tFjOHQHUOkV0ToXh6DtuS6N IgNf6jRAXF691sE8KF7jgXEE70tYDsMFPG0UdDzktzNwTksvABEBAAGJASUEGAEC AA8FAlMPAtACGwwFCQlmAYAACgkQ+zxXqLdFqHTMOggAi8FAr0glhyCnZSbCWCjZ aakN+d88IvpR4JdWvgKZMNXO3w+YkQs4RKX+p5zszkeQsZhtfT8R/hOrcmeX409p foUay0yadfhyT7Cdo5864cq9B+3+UMNsTG09g+/obSbOi+bMhmRHt7heszu90iTo L6vVZjenyR3Vy7o17DESsFk4FknxHGyYxH7aK7NasV7P2xegQhj1jTZv8uFLQM/E sgMBJby9ljnT6opfVXdbFc9xRP5Ezgmz1U+mQs78ISCd1vmF/6POcxQ0jmoH/qPb 6afwcldGLAZQLm0t+yxWaRbN0LdX1MQjeriETGOgDh8p2XkRp/o9lEQfLvEo17xg lw== =Ym7G -----END PGP PUBLIC KEY BLOCK-----
We thank the bug-hunters listed below for their efforts to make BL3P more secure. They have also received a bounty.
Reporter | Issue | Notes |
---|---|---|
Hamid Ashraf @hamihax | After changing account email, old password reset link stays valid | The link expires autamatically after one hour |
Harsha Vardhan | Redirect after CSRF error could take user back to attacker | |
Old password reset links stays valid after reset | Link is only available to user, timeout after 1 hour | |
Logging out did not clear browser cache | ||
CSRF token at security not checked correctly | If a user had security TFA disabled, an attacker could trick the user into disabling login TFA as well | |
Upload of malicious image files could overload verification server | ||
James A. | Old sessions remain valid after password change | |
Sahil S. | XSS vulnerability in verification system | A bug in the localization system could in some cases display unfiltered user input |
Insecure session cookie | Sessions are IP-locked | |
Elyesa (Matthew) in der Maur | TOTP code could be reused in other session | Only for same user |
Confirmation link not locked to changed setting | ||
Logout on BL3P did not instantly end session on verification server | ||
Clickjacking defense in BVS not functioning for partial content | ||
Possible name exposure via account restore | ||
Email spam possible with email change confirmation links | ||
XSS in some cases possible via email | ||
Could change account email to existing value | ||
Server side validation of withdrawal bank account broken | ||
Mandeep Jadon | Consecutive confirmation link requests did not invalidate former requests | |
Confirmation links were unjustly reported as being IP-locked. | ||
Krishna Manoj Vandavasi | Input validation in verification system insufficient | Could lead to higher spam rating for mails from bl3p.eu when entering malicious URLS |
Jay K Patel | Account email was not validated properly on change | |
Ahmad Shuja | Some weak passwords were not denied | |
Jochem Kuijpers | Configuration entries shown in JSON output |