Cloudflare 账户接管安全误用
2 分•作者: matured_kazama•9 个月前
我是 Cloudflare 的顶级黑客,他们漏洞赏金评估水平持续下降,这让我非常担忧。
我提交了一个针对他们 VIP 项目的 1-click 账户接管漏洞,此前提交的类似漏洞都被评估为高危。但最近这次却因为钓鱼行为被降级为低危,即便之前的高危漏洞也需要钓鱼。我的意思是,1-click 账户接管确实需要钓鱼啊。
这是继他们公开承认错误处理了 https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1 之后发生的第二起事件。
我不知道他们怎么了,但他们拒绝提供任何答复,无论是私下还是公开。而且,他们还公开吹嘘他们的新 VIP 项目:https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure,但当我向该项目提交最近的报告时,他们却把它转发给了公共项目。
查看原文
I'm a top hacker for Cloudflare and the continuous declining level of their bug bounty assessment has made me very concerning.<p>I submitted an 1-click Account Takeover on their VIP program, apart the previous ones which were assessed as High Severity. But the recent one is downgraded to Low Severity due to phishing, even when the High Severity issue also required phishing. I mean 1-click ATO do require phishing bro.<p>This is the second incident after their publicly acked mishandled triaging of https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1<p>I do not know what's happening to them, but they are declining to provide answers, even privately/publicly. Also, they publicly boasts of their new VIP program: https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure but when submitting this recent report to it, they forwarded it to the public program.