Dear Researchers,
We would like to point out a very important change related to our program - to our scope to be more precise.
At the time of posting this message, due to the increased amount of DNS brute-forcing activity (which causes internal issues) we decided to change the scope of the program to a more direct but a bit more restricted one.
In the future, we only accept submissions that are related to domains that you may find at https://gist.github.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340
At the same time, we would like to kindly ask you to:
- Stop searching for more targets.
- Stop your configured tools that are regularly searching for more subdomains and domains as this list will be up-to-date, adding and removing targets as we change our environment.
Tools that are enumerating domains will be placed under the out of scope list.
As an additional reminder, please always use your @Intigriti.me account when working on our program.
Thank you very much for keeping the rules in mind!
Wish you all the best,
Red Bull Digital Security Department
Dear Researchers,
On behalf of the Red Bull Digital Security Department, we hope that you had a pleasant time in the holiday season, managed to refill your batteries, and looking forward to the new year! We wanted to say a huge thank you, for all your effort that youโve done in the past 15 months to help us improve the security of our online footprint. Below you may expect some update from our team regarding various topics such as figures of the program, log4j, a few policy adjustment and deliveries.
Figures
In total youโve submitted around 5200 reports. From that, 3700 reports were valid. 17% of the issues are Major findings (High, Critical, and Exceptional) 83% are findings rated with Minor severity (Medium, Low, None). 52% of the valid reports are duplicate, 14% are informative โ for what we are truly thankful, as they often indeed provide valuable information, even if it can be only rated as informative. The remaining 34% is of course the part which we are still working on or fixed the issue already. Altogether youโve earned more than 2500 trays of Red Bull.
The top 5 issues by category are the following:
- Reflected Cross-Site Scripting
- Open Redirect
- Information Disclosure
- Security Misconfiguration (Generic)
- Stored Cross-Site Scripting
Update to the program
Regarding log4j, we have received several reports in the first few days after the issue was published however due to the two weeks rule that we have in place we could not accept these. As you have guessed we already accept all log4j reports with the severity of Critical and to encourage you further we add 2 trays extra for such reports.
Please make sure to use your @intigriti.me during hacking, unfortunately in the future we wonโt be able to reward you if you miss this, additionally make sure you use an IP that is well-known for Intigriti, we do observe suspicious activities on our assets, however before we do anything against it, we always double-check if an IP is in-use on the platform or not, for any activity that is being done without a known IPs we refer to as malicious and actions may be taken.
Please make sure that you utilize the capabilities of the platform โ it is providing everything that you may need to create a report, in order to process your report faster, use the appropriate fields for the correct details eg.: details to POC/description, Impact to the Impact field etc. etc.
As we have observed an increasing trend of submitting grouped issues in one ticket, submitting an issue via comments we wanted to clarify that in the future we wonโt be able to accept them as separate issue, they will be treated as one submission and will be rewarded once โ itโs also beneficial for you if you create a new report as you will get more reward and reputation point for the same.
If the same issue but on different domain can be fixed with one fix (due to them sharing the same codebase) we wonโt be able to reward you with trays if it is found by the same researcher. Your effort will be honored but not in a same way as it would be for unique reports.
We kindly ask you to please have a look on the rules of the program, especially the part where we talk about the rate limit limitations, and stick to the mentioned value to avoid further actions.
Rewarding
Unfortunately we do know that in several locations we are behind schedule with deliveries, due to the difficulties imposed by the pandemic we are obliged to cooperate with any local rules and policies hence the delivery may be slower at certain locations. While this is something that we have no control over, we are truly sorry for all the inconvenience which we may have caused.
In case you have not received your trays 5 weeks after your submission got accepted, please send us an e-mail hackersrewardsupport@redbull.com and we will make sure to get back to you within 14 days regarding the status.
Please include to following information:
- information:
- Username:
- Report ID:
- Trays owed:
- Address:
Last but not least, we would like to thank you once again for all the hard work that youโve done in the past 15 months.
Hope to see you hacking on our program in 2022 again!
Stay safe!
Best Regards,
Red Bull Digital Security Department