I am now offering a $25 reward for any Mybb or Hackforums.net exploit that allows for malicious action against the site. Proof of concept must be shown. This must be an unpublished exploit that allows for penetration of the admincp, the database, or the file system. You must PM me the exploit. Publication or abuse of the exploit will disqualify you from the reward.
Payment can be either paypal, money order, or western union. For WU the fees will be deducted as sending WU can be expensive.
This is going to be a reward I will hopefully keep in place for as long as possible. I am hoping that those finding a way to exploit the site or it's software will accept the reward instead of using it maliciously against the site.
The exploit you find will be reported to Mybb immediately so it can be patched. So for Mybb please realize that this reward is not any attempt to black hat hack the software. Instead it's meant as preventive. It may even serve to prove that Mybb is secure.
Thank you.
Disclaimer: This reward is subject to change without notice and can be cancelled at any time.
You do know that if anyone does know anything about this kind of stuff, they won't tell you, instead they'll keep quiet (on this thread) and probably link to it from some other board. So labrocca, if I was you, I would take the url to this thread, goto google and surround the url with "". If there are exploits, maybe they'll begin popping up in google by this. Good luck
(2008-12-29, 11:59 PM)labrocca Wrote: [ -> ]I am now offering a $25 reward for any Mybb or Hackforums.net exploit that allows for malicious action against the site. Proof of concept must be shown. This must be an unpublished exploit that allows for penetration of the admincp, the database, or the file system. You must PM me the exploit. Publication or abuse of the exploit will disqualify you from the reward.
Payment can be either paypal, money order, or western union. For WU the fees will be deducted as sending WU can be expensive.
This is going to be a reward I will hopefully keep in place for as long as possible. I am hoping that those finding a way to exploit the site or it's software will accept the reward instead of using it maliciously against the site.
The exploit you find will be reported to Mybb immediately so it can be patched. So for Mybb please realize that this reward is not any attempt to black hat hack the software. Instead it's meant as preventive. It may even serve to prove that Mybb is secure.
Thank you.
Disclaimer: This reward is subject to change without notice and can be cancelled at any time.
I do know also that not everyone is malicious. And the reward is for something unpublished. Also I may up the reward at some point and Chris has spoken with me about possibly matching it. I feel having an open reward would quiet those that say Mybb is insecure. I know $25 isn't a lot of money but I wanted to see the reaction with a small amount. I didn't want to make it $100 just yet because well...I don't need HF attacked by hackers more than it is looking for exploits. I get scanned pretty often but within the first 3-4 days of posting this at HF I had dozens of attempts and my server nor I was very happy about it. But the scans did serve a purpose. I was able to make some honeypots for such scans and now block them. So in the end it's been helpful to me.
I would love to one day offer $100-$250 for exploits. imho that would be enough for a hacker to decide to take the money. It could also save many Mybb admins from being exploited and would be worth the money overall.
I still get subscription emails even though my posting was deleted (taken care of by Ryan Gordon / Chris I assume). There are many projects that have open awards such as this and it's a good thing (if someone is willing to spend the money). The real question is though, out of those who report this for money, wouldn't they also have reported it for free? When I read labroccas reward notice one or two weeks after filling out the form I caught myself thinking 'damn' (I'm young, I need the money
) but should I come across something again, I'll probably just use the contact form again (and nag a developer or two if I don't hear back).
Personally I still think that no matter what kind of software used, the no. 1 reason that sites get hacked is that people use weak passwords, or they install untrustworthy software on their machines (this includes plugins, a badly programmed plugin could very well serve as a backdoor to MyBB no matter how secure MyBB is by itself, and hardly anyone reviews the code before installing it), or they give their account details to others without knowing them (happens often in support requests, people willingly give away access data in order to get help), etc.
I think $250 is way too high a price to pay for a simple exploit report. If you want to give that money to hackers, instead of simply giving out a reward, you should set up a honeypot MyBB on a server and give the award to someone who actually manages to hack this thing through a vulnerability of MyBB (which has then to be documented by the hacker), i.e. make a hacking contest. These kind of hands on contests sometimes manage to attract hackers (the friendly kind) who have fun in finding ways to break a software.
The reward is specific though and not just for bugs. It's specific to an exploit that can be used maliciously and also one that's part of mybb only.
I don't have a spare server to setup a hacking contest right now but maybe one day someone can donate a server or VPS. Maybe Chris can work on partnership with a hosting company for this in exchange for advertising. A simple VPS with default Mybb is all that's required.
No
possible MyBB exploits should be discussed here. I'm not saying there are exploits or there aren't; they shouldn't be discussed openly in
this community forum.
Thread Closed.
Report possible exploits here:
http://www.mybboard.net/contact?subject=security
Best Regards.