Cloudflare安全错误分类账户接管问题
我是Cloudflare的一名顶级黑客,他们的漏洞赏金评估水平持续下降让我非常担忧。
我在他们的VIP项目中提交了一个一键账户接管漏洞,之前的漏洞评估为高严重性。但最近这个漏洞却被降级为低严重性,原因是涉及钓鱼,即使高严重性的问题也同样需要钓鱼。我是说,一键账户接管确实需要钓鱼啊。
这是继他们公开承认错误处理https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1事件后的第二次事件。
我不知道他们发生了什么,但他们拒绝提供答案,无论是私下还是公开。此外,他们还公开吹嘘他们的新VIP项目:https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure,但当我提交这份最新报告时,他们却将其转发到了公开项目。
查看原文
I'm a top hacker for Cloudflare and the continuous declining level of their bug bounty assessment has made me very concerning.<p>I submitted an 1-click Account Takeover on their VIP program, apart the previous ones which were assessed as High Severity. But the recent one is downgraded to Low Severity due to phishing, even when the High Severity issue also required phishing. I mean 1-click ATO do require phishing bro.<p>This is the second incident after their publicly acked mishandled triaging of https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1<p>I do not know what's happening to them, but they are declining to provide answers, even privately/publicly. Also, they publicly boasts of their new VIP program: https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure but when submitting this recent report to it, they forwarded it to the public program.