Cross-site scripting war board XSSposed has opened a pay-whatever bug bounty to help its hackers earn cash and tee-shirts.
Launched overnight, the program lets anyone register their interest in hearing about vulnerabilities for any web property. They then have the opportunity to pay researchers for the finding.
Admins who ignore bug reports could end up on XSSposed's well-known full disclosure archive of cross-site scripting mirrors.
Disclosures and payments are a matter for individual web admins and researchers. XSSposed says its only role outside of providing the disclosure platform is to verify hacks.
Hackers can mark their XSS findings for a given site as 'hold' such that the vulnerability will be made public without the technical details that could allow it to be exploited.
“We support both full disclosure and coordinated disclosure via our open bug bounty program,” the organisers says .
“The idea of open bug bounty is pretty simple: any security researcher can be rewarded by anyone for a vulnerability reported on any web site. We go much further classic bug bounties where only web site owner can thank the researcher: with open bug bounty it can be web site visitor, journalist, or even a security company in charge of protecting the web site.
“Many companies don't have formal bug bounties, and we encourage researchers to ask for all sort of awards they want: from banal tee shirts to paid internships in the companies.”
Web site owners have a maximum of three weeks to send cash, clothing, or fruit to researchers who mark their bugs on 'hold' before the vulnerabilities automatically enter XSSposed's permanent full disclosure pit.
Admins will be alerted to 'on hold' bugs through an automatic email sent to “generic” security and registered WHOIS email addresses. Tweets may also be sent to owners.
Bugs for Alexa 50,000 web sites are flagged as VIP while the most prolific hackers are listed in the XSSposed hall of fame.
Bugs reported to the site are unpatched but may not necessarily be new, organisers say. ®