Dear Researchers,

We would like to point out a very important change related to our program - to our scope to be more precise.
At the time of posting this message, due to the increased amount of DNS brute-forcing activity (which causes internal issues) we decided to change the scope of the program to a more direct but a bit more restricted one.

In the future, we only accept submissions that are related to domains that you may find at https://gist.github.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340

At the same time, we would like to kindly ask you to:

• Stop searching for more targets.
• Stop your configured tools that are regularly searching for more subdomains and domains as this list will be up-to-date, adding and removing targets as we change our environment.

Tools that are enumerating domains will be placed under the out of scope list.

As an additional reminder, please always use your @Intigriti.me account when working on our program.

Thank you very much for keeping the rules in mind!

Wish you all the best,
Red Bull Digital Security Department

Dear Researchers,

On behalf of the Red Bull Digital Security Department, we hope that you had a pleasant time in the holiday season, managed to refill your batteries, and looking forward to the new year! We wanted to say a huge thank you, for all your effort that you’ve done in the past 15 months to help us improve the security of our online footprint. Below you may expect some update from our team regarding various topics such as figures of the program, log4j, a few policy adjustment and deliveries.

Figures

In total you’ve submitted around 5200 reports. From that, 3700 reports were valid. 17% of the issues are Major findings (High, Critical, and Exceptional) 83% are findings rated with Minor severity (Medium, Low, None). 52% of the valid reports are duplicate, 14% are informative – for what we are truly thankful, as they often indeed provide valuable information, even if it can be only rated as informative. The remaining 34% is of course the part which we are still working on or fixed the issue already. Altogether you’ve earned more than 2500 trays of Red Bull.

The top 5 issues by category are the following:

• Reflected Cross-Site Scripting
• Open Redirect
• Information Disclosure
• Security Misconfiguration (Generic)
• Stored Cross-Site Scripting

Update to the program

Regarding log4j, we have received several reports in the first few days after the issue was published however due to the two weeks rule that we have in place we could not accept these. As you have guessed we already accept all log4j reports with the severity of Critical and to encourage you further we add 2 trays extra for such reports.

Please make sure to use your @intigriti.me during hacking, unfortunately in the future we won’t be able to reward you if you miss this, additionally make sure you use an IP that is well-known for Intigriti, we do observe suspicious activities on our assets, however before we do anything against it, we always double-check if an IP is in-use on the platform or not, for any activity that is being done without a known IPs we refer to as malicious and actions may be taken.

Please make sure that you utilize the capabilities of the platform – it is providing everything that you may need to create a report, in order to process your report faster, use the appropriate fields for the correct details eg.: details to POC/description, Impact to the Impact field etc. etc.

As we have observed an increasing trend of submitting grouped issues in one ticket, submitting an issue via comments we wanted to clarify that in the future we won’t be able to accept them as separate issue, they will be treated as one submission and will be rewarded once – it’s also beneficial for you if you create a new report as you will get more reward and reputation point for the same.

If the same issue but on different domain can be fixed with one fix (due to them sharing the same codebase) we won’t be able to reward you with trays if it is found by the same researcher. Your effort will be honored but not in a same way as it would be for unique reports.

We kindly ask you to please have a look on the rules of the program, especially the part where we talk about the rate limit limitations, and stick to the mentioned value to avoid further actions.

Rewarding

Unfortunately we do know that in several locations we are behind schedule with deliveries, due to the difficulties imposed by the pandemic we are obliged to cooperate with any local rules and policies hence the delivery may be slower at certain locations. While this is something that we have no control over, we are truly sorry for all the inconvenience which we may have caused.

In case you have not received your trays 5 weeks after your submission got accepted, please send us an e-mail hackersrewardsupport@redbull.com and we will make sure to get back to you within 14 days regarding the status.

Please include to following information:

• information:
• Username:
• Report ID:
• Trays owed:
• Address:

Last but not least, we would like to thank you once again for all the hard work that you’ve done in the past 15 months.

Hope to see you hacking on our program in 2022 again!
Stay safe!

Best Regards,
Red Bull Digital Security Department

Dear Red Bull Friendly Hacker,

It is time to start again. Today at 5 pm CET we will open our program again.
We used the “breaktime” to review all reports received in 2021 and want to give additional appreciation for the following:

• We saw two really cool app related reports by sunil797 (REDBULL-Y4C3ADCN) and joelb021017 (REDBULL-TOQWXJ72)
• There was also one quite cool non app related report by mr_synack (REDBULL-K0K1YRG8)
• The reports handed in by Sadhack3r have been the most detailed and high quality report on a consistent base

We want to thank all mentioned Friendly Hacker for their outstanding submissions and will get in touch with them for some additional “bonus” 😉.
Never the less you all are doing a great job in making the world a safer place and therefor you all deserve a big thanks.

We are looking forward to an exiting restart of our program!

Have a great start into this new week,

mbran & swin

Dear Red Bull Friendly Hacker,

after a few weeks break, our program will be back on May 10th at 5pm Central European Time.

Please read our program carefully to understand all do´s and don’ts - whereas the dont´s especially include the usage of any techniques generating high amount of traffic like automated scanners, brute forcing attempts, heavy fuzzing, anything related to DoS/DDoS,….

The process of sending trays for the last hacking period is already ongoing. Feel free to send us an email to hackersrewardsupport@redbull.com if there are any questions regarding shipment or if you do not get your trays within the next weeks. We continuously improve in getting things done as fast as possible.

Have a great weekend,

mbran & swin

Dear Red Bull Friendly Hackers,

many thanks for all your contribution in this first quarter of the year. Again, many new issues where brought to our table – especially XSS vulnerabilities as these are in scope now 😉.
As the to-do list for issues to fix already grows continuously, we decided to do another “Maintenance Break” where we concentrate on fixing issues and ensuring your well deserved trays will reach you.
This also saves you from frustration of duplicates – as we currently seem many of them.

The maintenance break will start at Monday 29th of March and will last till somewhere in May (The date will announced latest one week ahead).

Be sure that we also use the time to update our program details and improve the program in general. If there are any questions for shipping trays, do not hesitate to get in touch with us via** hackersrewardsupport@redbull.com**.
We start our shipping process for all trays earned in 2021 by end of March.

All the best and stay healthy,

mbran & swin

Dear Red Bull Friendly Hackers,

first of all, thanks for all the valuable reports we received since we relaunched our program. As expected, XSS is a highflyer this time ;).

Wildcard DNS requests:
Since we launched our program at Intigriti in general, we also saw some curious behavior on DNS side which we want to share with you.
Since October last year we get masses (hundreds of millions to a few billions a month) of DNS requests for *.redbull.com, .servustv.com,... and so on. The wildcard here is a real wildcard symbol and no replacement for any subdomain.
The problem here: DNS services cannot resolve * and there is no caching for ".something.TLD" possible on DNS side. Our theory is, that these wildcard entries are retrieved from our SSL certificates during recon and used unfiltered in scripts and scanners.
As there is no added value on your side to use wildcard targets, we ask you to check your recon-lists, scanners, scripts and so on to remove these kind of targets. Our DNS provider may thank you for that as the mass of these requests may cause impact and confusion on long term ;).

Scanning/Fuzzing:
We regularly see heavy scanning/fuzzing attempts with a few thousand requests per second using tools like nuclei/httpx/ffuf/... - we know that we cannot avoid being scanned. If you feel a need to use automation tools, we ask you to at least check the settings and reduce the requests per second to 5 or lower – running 5 scanners in parallel means 1 request/second each and not taking the opportunity to scale via multiple instances 😉.
Be aware that in most cases you are just testing a WAFs capabilities of blocking your requests and the real cool findings are not obtained via scanners or fuzzing tools but through manual exploitation.

Many thanks and stay healthy,

mbran & swin

Dear Red Bull Friendly Hackers,

we want to inform you that we put *.tv-insight.com to our out of scope list for the meanwhile as there are currently a lot of changes for a soon go live happening. We ask you to stop activities for this domain till it goes back to scope in a few weeks.

Many thanks and happy hacking,

mbran & swin

Dear Red Bull Friendly Hackers,

We are excited to announce that we finally will restart our program as planned for today (February 8th ) 1 pm Central European Time (CET). Here the most important changes to the program:

• Reflected/DOM XSS is now in scope and will be rated with "Medium" severity
• In general, we want to ** honor good written reports** as we think that this is one of the most important skills a independent researcher should have. Means: For high quality of accepted reports, we will add a tray of Red Bull (Also for Low severity ones). Please be aware that a good report contains an understandable description of the problem, potential impact and a solution which fits the problem. Keep in mind, that often non-security personal need to understand what’s going on.

Please read our program carefully to understand all do´s and don’ts - which especially includes the usage of any techniques generating high amount of traffic like automated scanners, brute forcing attempts, heavy fuzzing, anything related to DoS/DDoS,….

Last week we started the process to ship all trays which are still open from 2020. Feel free to send us an email to hackersrewardsupport@redbull.com if there are any questions regarding shipment or if you do not get your trays within the next weeks. We continuously improve in getting things done as fast as possible.

Happy hacking and have a great start into this new week,

mbran & swin

Dear Red Bull Friendly Hacker community,

it is nearly a month now since we stopped our program. After this period of time we have good news and some not so perfect ones.

The good ones: We have used this past month to improve our processes and the way we cooperate with Intigriti to provide a better experience with our program. We worked hard to fix problems with sending trays in certain countries, to brainstorm on possibilities for opening up our program a bit more and to find ways for more efficient internal communication and remediation of issues. Also we will be able to do the last round of shipment of trays to you. Means, in latest 2-3 weeks everyone should have the well-earned reward in their hands.

The not so perfect ones: We decided by end of December to not start again with our program till we are sure that our processes allow everyone receiving their proper reward. As this goal is nearly but not fully achieved yet, we postpone the start by one more week, which will be a start again date at **February 8th, 1pm Central European Time (CET) ** – be sure that this will stay the only delay. Also, we still have a few open issues we want to get solved before we strive for new challenges ;).

Whenever there are questions for the shipment of trays, please send us a direct mail via [hackersrewardsupport@redbull.com]. We changed this email address as there have been some misunderstandings with our previous one. Be aware, that we do not accept or reward any reports received outside our trusted partner Intigriti.

We are already exited to start the next, amazing journey with you, our highly respected Friendly Hacker community!

All the best and stay healthy,

mbran & swin

Dear Red Bull Friendly Hackers,

as already announced, our program will pause from now till February 1st, 10am CET for an improvement break on our side. We will work on getting all the trays shipped, issues fixed and processes as well as the program itself to be improved. If there are any questions in the meanwhile, feel free to get in touch with us via vulnerabilitydisclosure@redbull.com.

Many thanks for all your contribution in the previous year - not only to our program but to make the world a safer cyberplace in general. We are happy to see you again in the upcomming year 2021!

Happy new year and stay healthy,

swin & mbran