BayAreaCoins



Offline



Activity: 2646

Merit: 1134





Free Bitcoins Stickers- freebitcoins.com/stickers







LegendaryActivity: 2646Merit: 1134Free Bitcoins Stickers- freebitcoins.com/stickers

Re: Blockchain.com & HackerOne.com didn't pay bug bounty & made the fix anyways. October 18, 2019, 12:18:21 PM

Last edit: October 19, 2019, 11:29:52 AM by BayAreaCoins #6







Severity "none" w-t-f



"Pipelined for fix" also catches my eye because this fix has already taken place, as indicated in my OP. These HackerOne people are liars.



"Note that other services, including Google, do not require 2FA code to reveal the backup codes." This is NOT true. Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread)



(this paragraph is a 10/19/2019 edit) "recognition of your effort to prioritize this fix" At least they are calling it a fix and not a fucking feature! Imagine this story: You have $10,000,000 on your account and you want to go to a coffee shop to trade. You know you aren't going to withdraw, so you leave your 2fa at home in your safe. Your account is covered by 2fa. You use Lastpass because your passwords are 30 characters long. While your sitting in the coffee shop, some punk grabs your computer and takes off. By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per End of edit.



According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is.







Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!!







Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor? In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA)







Edited:



Here is the actual shit they are trying to force me to fill out to get $50...











https://www.taxgirl.com/2009/03/19/ask-the-taxgirl-can-i-refuse-to-complete-a-form-w-9/ Whoa.... $50 for a critical infrastructure error and the HackerOne people STILL claiming it's normal practice & Google does it (Google doesn't don't worry) to display 2fa backup codes without re-authenticating both 2fa and password if the account has both. What is the point of 2fa in that case? This is NOT how military-grade 2fa security works at all.Severity "none"w-t-falso catches my eye because this fix has already taken place, as indicated in my OP. These HackerOne people are liars.This is NOT true. Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread)At least they are calling it a fix and not a fucking feature! Imagine this story: You have $10,000,000 on your account and you want to go to a coffee shop to trade. You know you aren't going to withdraw, so you leave your 2fa at home in your safe. Your account is covered by 2fa. You use Lastpass because your passwords are 30 characters long. While your sitting in the coffee shop, some punk grabs your computer and takes off. By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per The Pit's withdraw limits ). My bug report just stopped that from happening because now that punk has to have your 2fa code to display your 2fa back up. Please keep in mind, I'm not 100% what the withdraw user experience & security features are like on "The Pit". I was only on the site for a few minutes to find this. IF it's like any other website + that bug that only required your password to dump and turn your 2fa... you'd be a fucked duck.According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is.Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!!Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor? In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA)