/huntr

📚 Open source resources related to huntr - the bug bounty platform

Primary LanguageJavaScript



huntr.dev - the place to protect open source

Get recognised for protecting millions of developers


GitHub Workflow Status (branch) Website GitHub pull requests GitHub issues


GitHub forks GitHub Repo stars GitHub contributors Support huntr GitHub closed pull requests by-label


Discord Twitter Follow


Visit the platform or continue reading...


AboutDiscloseFixDiscussLinksUpdatesCommunity


About


huntr is a bug bounty platform developed by 418sec. We provide the open source community a way to learn and master open source security with real world practice on packages being utilised by millions of developers and services around the world.

This repository is an open and freely available database for all of the disclosures we have received from the open source community. We display these disclosures on our platform for you to learn about, attempt a fix and discuss with others.

You already have what it takes. Keep reading to learn more on how to disclose a vulnerability, submit a fix and share your opinions with us.

If you want to do a bit more reading around the platform and our mission, take a look at:


Disclose


For the best experience when disclosing a vulnerability with us, sign up to the platform using your GitHub account.


Before disclosing a vulnerability, you should fork the repository and familiarise yourself with the contents of your new repo. You can fork by clicking here:


GitHub forks


Database 💽


The bounties folder holds all previous disclosures and is also the location where new disclosures are added. Inside the bounties folder, each directory represents a package manager. These include:



Within each of these folders, you will find the names of packages that are served by these package managers. For example, bounties/npm/yup refers to:



Some package managers (i.e. ) format their package names like owner/name, e.g. intervention/image. Where this is the case, the package directory assumes the following structure:

bounties
  - packagist
    - intervention
      - image

Otherwise, it will follow:

bounties
  - npm
    - yup

Inside of each package directory, there will be a numbered list of directories starting at 1. This number is the identifier for the vulnerability/disclosure. For example, bounties/npm/yup/1 is the first disclosure in our database for yup.


This number, as well as the directory, refers to the respective vulnerability on the platform. The contents of the files inside a directory location will be used to generate the content for the platform vulnerability page:


https://huntr.dev/bounties/1-npm-yup


Each new and unique disclosure should iterate on this number, if the package for a specific package manager does not already exist.


Submit a disclosure 📨


Now that we have covered the basics of the vulnerability database, we can now submit a disclosure...


Each disclosure is made up of two files:


vulnerability.json and a README.md


The vulnerability.json contains all meta-data related to the vulnerability or disclosure. You can find a template below for the vulnerability.json which should be filled with relevant information. The README.md is a custom description of the disclosure that will appear on the platform. It is rendered with a simple Markdown processor that includes basic styling - similar to GitHub Flavoured Markdown. You can be as creative and artistic with your README.md as you please. These files are created by a discloser, within an existing or new package manager and package of choice.

For example, if you wanted to disclose a vulnerability in:



...you will create two empty files on your personal fork:


bounties/npm/lodash/1/vulnerability.json
bounties/npm/lodash/1/README.md

vulnerability.json


Your vulnerability.json must take the following format to get accepted:


{
  "PackageVulnerabilityID": "",
  "DisclosureDate": "",
  "AffectedVersionRange": "",
  "Summary": "",
  "Contributor": {
    "Discloser": "",
    "Fixer": ""
  },
  "Package": {
    "Registry": "",
    "Name": "",
    "URL": ""
  },
  "CWEs": [
    {
      "ID": "",
      "Description": ""
    }
  ],
  "CVSS": {
    "Version": "",
    "AV": "",
    "AC": "",
    "PR": "",
    "UI": "",
    "S": "",
    "C": "",
    "I": "",
    "A": "",
    "E": "",
    "RL": "",
    "RC": "",
    "Score": ""
  },
  "CVEs": [""], 
  "Repository": {
    "URL": "",
    "Codebase": [""],
    "Owner": "",
    "Name": ""
  },
  "Permalinks": [""], 
  "References": [
    {
      "Description": "",
      "URL": ""
    }
  ]
}

Furthermore, the contents of each key must have a value that follows the definition table:


FieldDefinitionExample
PackageVulnerabilityIDNumerical incrementing ID1
DisclosureDateDisclosure submission date2020-12-01
AffectedVersionRangeVulnerable version/s of the package* or 1.0.0
SummarySummary of the vulnerabilityPrototype Pollution
Contributor.DiscloserGitHub ID of the discloserNo input required...
Contributor.FixerGitHub ID of the fixerNo input required...
Package.RegistryName of package manager/registrynpm
Package.NameName of the vulnerable packagelodash
Package.URLURL to the package in the registryhttps://www.npmjs.com/package/lodash
CWEs.IDCommon Weakness Enumeration ID of the vulnerability400
CWEs.DescriptionName of the CWE IDFailure to Sanitize Input
CVSS.VersionVersion of CVSS Calculator3.1
CVSS.AVAttack VectorP
CVSS.ACAttack ComplexityH
CVSS.PRPrivileges RequiredL
CVSS.UIPrivileges RequiredL
CVSS.SScopeL
CVSS.CConfidentialityL
CVSS.IIntegrityL
CVSS.AAvailabilityL
CVSS.EExploit Code MaturityL
CVSS.RLRemediation LevelL
CVSS.RCReport ConfidenceL
CVSS.ScoreCommon Vulnerability Scoring System9.8
CVEsCommon Vulnerabilities and Exposures (CVE)["CVE-abc-123"]- optional
Repository.URLGitHub Repository URLhttps://github.com/418sec/huntr
Repository.CodebaseGitHub Repository Codebase["JavaScript"]
Repository.OwnerGitHub Repository Owner418sec
Repository.NameGitHub Repository Namehuntr
PermalinksGitHub Permalinks["https://github.com/418sec/huntr/blob/staging/.gitignore#L1"]
ReferencesLinks or Articles relating to vulnerability{ "Description": "Blog", "URL": "https://huntr.dev/blog" }

Data Definition Table for vulnerability.json



For more information on the requested meta-data, you can refer to the following resources:


README.md


The README.md file is fully customisable, but you can use the following template:

# Description

`myPackage` is vulnerable to `a scary vulnerability`.

This exploit may result in the modification of..., which may result in...

# Proof of Concept

1. Create the following PoC file:

{Show PoC code here...}

2. Execute the following commands in another terminal:

{Show terminal commands here...}

3. Check the Output:

{Show result of execution here...}

N.B - ensure that any hyperlinks or URLs are added to the References array in the vulnerability.json


Disclosure Acceptance 🎉


If you are up to this point, great job! You can now go ahead and open a pull request from your fork to 418sec/huntr:staging. Make sure that you have submitted only one vulnerability.json and README.md per pull request. If you do this properly, a GitHub labels label will be added to your PR.


All previous disclosure PRs are labelled with:
GitHub labels GitHub labels


Before being accepted, your vulnerability.json will go through some checks to ensure a minimum level of quality. If your disclosure fails these checks, you will be able to view the results of these checks at the bottom of your PR.


Once your disclosure is accepted by our sheriffs, it will be visible on the platform under the URL:

https://huntr.dev/bounties/${PackageVulnerabilityID}-${Package.Registry}-${Package.Name}


Need more help? Take a look at our video walkthrough for more information...


Fix


For the best experience when fixing a vulnerability with us, sign up to the platform using your GitHub account.


All of our submitted disclosures will be displayed on the bounties page on the platform. You can filter by programming language and view disclosures ordered by most recent, first.


Submit a fix ⚒️


To start working on a fix, visit any bounty page and click the Fork and Fix button. This will only be visible if you have signed up with your GitHub account. This will create a fork of a 418sec GitHub repository; we have forked the upstream repository so that we don't bother the true maintainer with heavy discussion threads on their repository.


For example:

lodash/lodash
|_418sec/lodash
  |_YOUR-USERNAME/lodash

Once you have forked through our platform, you will be provided a git clone command. With this, you can start working on your fork and building your fix, woohoo! 🎉


Once you are happy with your fix on your forked repository, you can now open up a pull request from your fork to the 418sec repository.


We encourage you to reference your pull request submission on the original disclosure through the comments section on the platform. To do this, simply copy your GitHub PR URL into the comments section. This will automatically setup a linked reference to your PR. This will give you the opportunity to get community feedback on your fix and learn with others on their submissions too.


Discuss


We encourage everyone to engage in the discourse for vulnerability disclosures and fixes through our platform. To sign up, click here. You will find a comments section on each bounty page where you can express your thoughts and learn with others.


If you have any feedback about this repository or the platform, get involved with the conversation on our Discord. Join our growing community today!


Links


You may find the following links helpful:


Templates


Not sure what to write in the description of your pull request? You can use our PR (pull request) templates to help you:



Updates


Turn your notifications to watching to keep yourself up-to-date. To show us some love, give us a star!


Community


We are always on the lookout for sheriffs, a.k.a. legendary code reviewers, to review community submitted disclosures and fixes. If you are interested, drop a comment on our GitHub Discussion.


As a sheriff, you will:

  • Review fixes and disclosures submitted by our community
  • Get a shiny sheriff badge on your profile
  • Join our private Discord channel
  • Join weekly team meetings for platform updates
  • Help us shape the direction of the platform
  • Engage with project maintainers to discuss fixes and disclosures

You can find community-based projects here: