Restart of Program
5/10/2021, 1:48:05 PM (6 months ago)

Dear Red Bull Friendly Hacker,

It is time to start again. Today at 5 pm CET we will open our program again.
We used the “breaktime” to review all reports received in 2021 and want to give additional appreciation for the following:

  • We saw two really cool app related reports by sunil797 (REDBULL-Y4C3ADCN) and joelb021017 (REDBULL-TOQWXJ72)
  • There was also one quite cool non app related report by mr_synack (REDBULL-K0K1YRG8)
  • The reports handed in by Sadhack3r have been the most detailed and high quality report on a consistent base

We want to thank all mentioned Friendly Hacker for their outstanding submissions and will get in touch with them for some additional “bonus” 😉.
Never the less you all are doing a great job in making the world a safer place and therefor you all deserve a big thanks.

We are looking forward to an exiting restart of our program!

Have a great start into this new week,

mbran & swin

It is time for a restart :)
4/30/2021, 7:29:09 AM (6 months ago)

Dear Red Bull Friendly Hacker,

after a few weeks break, our program will be back on May 10th at 5pm Central European Time.

Please read our program carefully to understand all do´s and don’ts - whereas the dont´s especially include the usage of any techniques generating high amount of traffic like automated scanners, brute forcing attempts, heavy fuzzing, anything related to DoS/DDoS,….

The process of sending trays for the last hacking period is already ongoing. Feel free to send us an email to hackersrewardsupport@redbull.com if there are any questions regarding shipment or if you do not get your trays within the next weeks. We continuously improve in getting things done as fast as possible.

Have a great weekend,

mbran & swin

Upcoming Program Break
3/23/2021, 6:56:09 AM (7 months ago)

Dear Red Bull Friendly Hackers,

many thanks for all your contribution in this first quarter of the year. Again, many new issues where brought to our table – especially XSS vulnerabilities as these are in scope now 😉.
As the to-do list for issues to fix already grows continuously, we decided to do another “Maintenance Break” where we concentrate on fixing issues and ensuring your well deserved trays will reach you.
This also saves you from frustration of duplicates – as we currently seem many of them.

The maintenance break will start at Monday 29th of March and will last till somewhere in May (The date will announced latest one week ahead).

Be sure that we also use the time to update our program details and improve the program in general. If there are any questions for shipping trays, do not hesitate to get in touch with us via** hackersrewardsupport@redbull.com**.
We start our shipping process for all trays earned in 2021 by end of March.

All the best and stay healthy,

mbran & swin

Some words about Wildcard DNS requests and Scanning
2/25/2021, 12:03:02 PM (8 months ago)

Dear Red Bull Friendly Hackers,

first of all, thanks for all the valuable reports we received since we relaunched our program. As expected, XSS is a highflyer this time ;).

Wildcard DNS requests:
Since we launched our program at Intigriti in general, we also saw some curious behavior on DNS side which we want to share with you.
Since October last year we get masses (hundreds of millions to a few billions a month) of DNS requests for *.redbull.com, .servustv.com,... and so on. The wildcard here is a real wildcard symbol and no replacement for any subdomain.
The problem here: DNS services cannot resolve * and there is no caching for "
.something.TLD" possible on DNS side. Our theory is, that these wildcard entries are retrieved from our SSL certificates during recon and used unfiltered in scripts and scanners.
As there is no added value on your side to use wildcard targets, we ask you to check your recon-lists, scanners, scripts and so on to remove these kind of targets. Our DNS provider may thank you for that as the mass of these requests may cause impact and confusion on long term ;).

Scanning/Fuzzing:
We regularly see heavy scanning/fuzzing attempts with a few thousand requests per second using tools like nuclei/httpx/ffuf/... - we know that we cannot avoid being scanned. If you feel a need to use automation tools, we ask you to at least check the settings and reduce the requests per second to 5 or lower – running 5 scanners in parallel means 1 request/second each and not taking the opportunity to scale via multiple instances 😉.
Be aware that in most cases you are just testing a WAFs capabilities of blocking your requests and the real cool findings are not obtained via scanners or fuzzing tools but through manual exploitation.

Many thanks and stay healthy,

mbran & swin

Update - Out of Scope List
2/9/2021, 7:16:38 PM (9 months ago)

Dear Red Bull Friendly Hackers,

we want to inform you that we put *.tv-insight.com to our out of scope list for the meanwhile as there are currently a lot of changes for a soon go live happening. We ask you to stop activities for this domain till it goes back to scope in a few weeks.

Many thanks and happy hacking,

mbran & swin

Finally - Restart of our program!
2/8/2021, 10:03:20 AM (9 months ago)

Dear Red Bull Friendly Hackers,

We are excited to announce that we finally will restart our program as planned for today (February 8th ) 1 pm Central European Time (CET). Here the most important changes to the program:

  • Reflected/DOM XSS is now in scope and will be rated with "Medium" severity
  • In general, we want to ** honor good written reports** as we think that this is one of the most important skills a independent researcher should have. Means: For high quality of accepted reports, we will add a tray of Red Bull (Also for Low severity ones). Please be aware that a good report contains an understandable description of the problem, potential impact and a solution which fits the problem. Keep in mind, that often non-security personal need to understand what’s going on.

Please read our program carefully to understand all do´s and don’ts - which especially includes the usage of any techniques generating high amount of traffic like automated scanners, brute forcing attempts, heavy fuzzing, anything related to DoS/DDoS,….

Last week we started the process to ship all trays which are still open from 2020. Feel free to send us an email to hackersrewardsupport@redbull.com if there are any questions regarding shipment or if you do not get your trays within the next weeks. We continuously improve in getting things done as fast as possible.

Happy hacking and have a great start into this new week,

mbran & swin

Restart of our program and some other info's
1/29/2021, 11:20:22 AM (9 months ago)
1/29/2021, 11:26:22 AM

Dear Red Bull Friendly Hacker community,

it is nearly a month now since we stopped our program. After this period of time we have good news and some not so perfect ones.

The good ones: We have used this past month to improve our processes and the way we cooperate with Intigriti to provide a better experience with our program. We worked hard to fix problems with sending trays in certain countries, to brainstorm on possibilities for opening up our program a bit more and to find ways for more efficient internal communication and remediation of issues. Also we will be able to do the last round of shipment of trays to you. Means, in latest 2-3 weeks everyone should have the well-earned reward in their hands.

The not so perfect ones: We decided by end of December to not start again with our program till we are sure that our processes allow everyone receiving their proper reward. As this goal is nearly but not fully achieved yet, we postpone the start by one more week, which will be a start again date at **February 8th, 1pm Central European Time (CET) ** – be sure that this will stay the only delay. Also, we still have a few open issues we want to get solved before we strive for new challenges ;).

Whenever there are questions for the shipment of trays, please send us a direct mail via [hackersrewardsupport@redbull.com]. We changed this email address as there have been some misunderstandings with our previous one. Be aware, that we do not accept or reward any reports received outside our trusted partner Intigriti.

We are already exited to start the next, amazing journey with you, our highly respected Friendly Hacker community!

All the best and stay healthy,

mbran & swin

Start of program break and contact information
12/31/2020, 9:57:04 AM (10 months ago)

Dear Red Bull Friendly Hackers,

as already announced, our program will pause from now till February 1st, 10am CET for an improvement break on our side. We will work on getting all the trays shipped, issues fixed and processes as well as the program itself to be improved. If there are any questions in the meanwhile, feel free to get in touch with us via vulnerabilitydisclosure@redbull.com.

Many thanks for all your contribution in the previous year - not only to our program but to make the world a safer cyberplace in general. We are happy to see you again in the upcomming year 2021!

Happy new year and stay healthy,

swin & mbran

Lets go for a improvement break!
12/24/2020, 9:49:58 AM (10 months ago)

Dear Red Bull Friendly Hackers,

your response on our program till now is amazing. As we did not expect this level of interest, there is also one downside: We have not been prepared to handle this amount of reports to work on and trays to be sent. We really appreciate all your contribution and see timely deliveries of rewards and fixing of reported issues as our responsibility and “Service” we deliver to YOU – if we wouldn´t, all the talks about appreciation would just be empty words.

Therefore we decided to pause the program th whole January 2021. We will start again on February 1st, 10 am CET. Currently there are approx. 140 open reports to address and only the October rewards are shipped yet – with some drawbacks on some countries in Asia and Western Europe (which should be solved since last week).
Our plan for January is to:

  • Send all open rewards and improve the shipping process in a way to handle future deliveries in <1,5 Months between reporting and receiving the trays.
  • Fix most of open issues (some few of them will still exist afterwards due to interdependencies which need more time to sort out…)
  • Improve the remediation process on our side to allow quicker communication and reaction times between teams
  • Open the scope to allow more opportunities for reporting and giving especially beginners in hacking the opportunities to learn and try things on live systems

We apologize for everything that did not run so well till now and hope to do things better in 2021 - we try hard to improve 😊. We wish you all the best, a lot of healthiness for you and your families, a smooth transition into the new year and a successful year 2021!

Many thanks for your contribution till now and see you soon on intigriti platform,

swin & mbran

As an additional note: the biggest thanks goes to the amazing triage team at intigriti who is doing such a great and high quality job though the preasure of incomming reports is high - it is a pleasure to work with them. We are sure all of you agree to this ;)

A short friendly reminder on sticking to our program rules 😉
12/11/2020, 6:04:59 AM (11 months ago)

After two months of running our program at intigriti we look back to a very “interesting” start on our side where we have been very surprised and overwhelmed from the many feedback and incoming reports we received.
We want to say “Thank You” from the bottom of our heart for your great contribution and all the valuable information which makes our environments a more secure place – though we had a hard time to treat all the reports and to start the delivery of all the trays earned by you. We are sure that our processes will improve over time.

We also want to use this post to remind you of some rules outlined in our program details as we see continuous scanning/fuzzing/brute-forcing attempts with sometimes more than 1000 requests per second.

• Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's)
• You'll limit your activity to user accounts that belongs to only you. Please use @intigriti.me domains for email addresses
• DoS/DDoS attacks, brute force attacks, heavy fuzzing or mass registrations are definitely out of scope.
• In general, please avoid any activities which generate a high amount of requests
• Please also provide your attacker IP when delivering reports
• Please read our program details to view all details 😉

We are looking forward to afurther great months working with such a great community as you are.

All the best and many thanks,

Swin