🚨 Potential Improper Access Control

athas / EggsML

A fully fledged and highly scalable lunch management system for the modern enterprise

http://eggsml.dk

GNU Affero General Public License v3.0

30 stars 10 forks source link

🚨 Potential Improper Access Control #175

Open huntr-helper opened 3 years ago

huntr-helper commented 3 years ago

👋 Hello, @athas - a potential high severity Improper Access Control vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-athas/EggsML for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

Confused or need more help?

Join us on our Discord and a member of our team will be happy to help! 🤗
Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

Sword-Smith commented 3 years ago

@huntr-helper Do you guys accept payment in Bitcoin Lightning?

JamieSlome commented 3 years ago

@adam-nygate - bump 👊

JamieSlome commented 3 years ago

@Sword-Smith - thanks for the question!

We do not accept Bitcoin Lightning, but we can accept standard Bitcoin.

Would this work for you?

Sword-Smith commented 3 years ago

A regular Bitcoin transaction would work since the fees are low at the moment.

JamieSlome commented 3 years ago

@Sword-Smith - feel free to use our public BTC address 3Jcm5VE6DpDHaxLZJC1ZAiPPTfU4aSaNqJ.

Cheers! 🎉

Sword-Smith commented 3 years ago

So what do I send to this address? 10 USD to have the issue revealed, and 5 USD to set a bounty to fix it?

JamieSlome commented 3 years ago

Ah sorry for the confusion. No payment is required to access the report. We give access to the maintainer(s) of the repository either via magic-link or once they've logged in to the platform.

We welcome the sponsoring of reports/fixes via multiple payment methods.

Sword-Smith commented 3 years ago

No problem. Sent you 15 USD anyway in ee592e86b72109ecf09da62d5729f3f3312a227d029d57241898ac3a0b9af659 https://blockstream.info/tx/ee592e86b72109ecf09da62d5729f3f3312a227d029d57241898ac3a0b9af659

sshine commented 2 years ago

@JamieSlome:

Is it possible for other team members of EggsML to access this report?
I see that you have previously received credit for a CWE-471 vulnerability (Modification of Assumed-Immutable Data (MAID)); I am very sure that the concieggs sub-project qualifies as MAID. How do we escalate this so that we can credit you further?
Do you still accept Bitcoin payments?

JamieSlome commented 2 years ago

@sshine:

Yes, absolutely, I will just need to get a magic URL for you to share with different team members.
When you say escalate, do you mean to assign a CVE? We can assign CVEs if you would like to do this and believe the report to be valid.
We do still accept Bitcoin donations, but just for clarity, we by default sponsor all bounties to help secure OSS ❤️ Happy to share an address if you would like to donate!

Let me know how you want to proceed with the report, and will make sure you get access! 🎉

JamieSlome commented 2 years ago

Just a heads up that our BTC address is:

32K3SmVHVgsWjYGDyjfa8ryGYG7Fx3qLpv