Hello all! It has been a long time coming but I am happy to say that BugBountyNotes.com is now accessible to the public! I decided to code this after returning from a live hacking event with HackerOne and thought to myself: there’s no “hubpoint” for everything bug bounty related. Discussions around bugbounties (disclosed bugs, interesting techniques, program feedback) tend to happen on either Twitter or Slack, and if you’re an avid user of Slack you’ll know it’s very easy to miss messages if you don’t check everyday. I hope to change this.

As I said, I have some big plans for this project and the initial release is a start to the vision I have for it. Please share any feedback/suggestions you may have :)

** Note: Right now the website is only desktop friendly. I am working hard to get mobile version out as soon as possible.

On with the features and explaining what’s inside BugBountyNotes..

- The BugBountyNotes Forum

Forum homepage

As explained above, there really wasn’t any “hubpoint” for bugbounty discussions. I’ve created a complete custom-made forum so now anything bugbounty related can be discussed in an easy-to-view method without the risk of missing anything whilst allowing researchers to have an unbiased and uncensored discussion.

- BugBountyTraining — Challenges!

My twist on learning bugbounties!

HackerOne have Hacker101 and their new CTF, BugCrowd have their university and I present to you: BugBountyTraining with a twist via custom made challenges from researchers. I didn’t want to go down the route of just boring videos because they are already out there. A lot of people also share interesting blog posts about bugs they’ve found, so I decided to put two and two together and created a platform for researchers to create their own challenges for the community. Now when you disclose a bug, go ahead and try create it yourself and let researchers give it a go! I have a LOT of plans for this area of the site and this is just the very beginning. There are already 3 custom made challenges based on bugs I have found — go ahead and try beat them! If you are interested in contributing a challenge please reach out to me.

Challenge 3 is actually a talk I did at @_DC151 about an interesting CSRF bypass I found. I’ll do a post on this once the challenge is over! Good luck:D

- Explore BugBounties — detail about each feature

Who doesn’t want to explore bugbounties? With a researcher directory, disclosed bug list, program directory and a tool list / payload feed, you’re bound to fit right in!

Researcher directory: We have platform directories, but what about enabling companies to easily find researchers? Right now I have enabled just some basic filters, but as explained above, I have a lot of plans for this! When viewing a users profile you have the ability to endorse other researchers or simply show off all your disclosed bugs on your profile!

Researcher directory

endorse other researchers!

Disclosed bugs: Search HackerOne disclosed bugs as well as blog posts from other researchers. I plan on making it easier to add external posts to this list. As explained above, where do discussions on disclosed bugs happen? Various places, but now you can comment on disclosed bugs and have a discussion with other researchers! Not only this but you can submit tags to help researchers find the report.

Program Directory: A list of public programs listed on HackerOne/BugCrowd/various other areas of the internet with some basic filtering for searching. @phwd suggested a lot of interesting filters for this which I plan on implementing as time goes on.

Program page: Not all programs play fair but I also didn’t want to create a platform for researchers to just slander companies. With the ‘Feedback’ page researchers are welcome to share their feedback on that programs handling of bug reports and help other researchers spend their time more better. Not only this but you may notice the Collaboration tab! If you have been having success on a program, let other researchers know you are open to working together! (This is just beta, please go gentle:D)

The explore page also contains a safety page which will be run and maintained by @AmitElazari for helping researchers stay safe in bugbounties. Not only this, but find useful links, other communites and platforms you may not of known existed! Everything bugbounty related is there!

Go check it out: https://www.bugbountynotes.com/!

Plans for the future

As you can expect coding something this big by myself can be quite tiring. I have LOTS of plans for improvement and new features and these will come out over the next few weeks. I hope to turn BugBountyNotes into the hubpoint for learning bugbounties, sharing research and helping others. Sharing is caring, remember? :) If you feel you can contribute anything please reach out to me!

Feedback, comments, security issues

For now please share any feedback, comments or bugs/security issues to zseano@bugbountynotes.com — emails sent here will be forwarded to my inbox. I welcome you to test it for any issues and share your feedback!:) Just abide by your laws and don’t go crazy. If you notice any bugs please let me know.

Final Words

This is a beta release so please go easy. Go explore, go test, and let me know your thoughts! I’d like to thank teveryone who has already tested and given feedback — I will be making sure you are recognised for your hard work.

Thanks to: @filedescriptor, @phwd, @iamnoooob, @damian_89_, @MrTuxRacer, @rohk_infosec — and a special thanks to @yaworsk for always being a supportive friend. A top friend.