
è匱æ§ããã°ã©ã ã¯ãåžžã«ããã«ãŒãã»ãã¥ãªãã£ã®å°é家ããå€ãã®æ³šç®ãéããŠããŸãã çµå±ã®ãšãããããã¯ãã°ãæ€çŽ¢ããããšã«ãã£ãŠã®ã¿è¯ããéã皌ãããã®åæ³çãªæ¹æ³ã§ãïŒãã ããè¯ãçµéšãšåœŒã®è©ã«é ãããã°ïŒã å æ¥ããã°ãã³ã¿ãŒã®Ivanã®ååç 08 Grigorovã«ã€ã³ã¿ãã¥ãŒããæ©äŒããããŸããã 圌ã¯Bug Bountyããã°ã©ã ã®ãªãŒããŒã§ãããHackerOneãã©ãããã©ãŒã ã®ç·åã©ã³ãã³ã°ã§11äœã«ãªããŸãã
ãã°ãæ¢ãå§ããã«ã¯ïŒ ãããå¯äžã®åå ¥æºã§ããããïŒ ã©ã®ãã°ããŠã³ãã£ã«åå ããŸããïŒ ãã°ãã³ã¿ãŒã¯ããã皌ãã§ããŸããïŒ ãããŠããªãå±æ©ã«ãããŠè匱æ§æ€çŽ¢ãç¹ã«æçãªã®ã§ããïŒ ã€ã³ã¿ãã¥ãŒã§ãããã®è³ªåããã®ä»ã®è³ªåã«å¯Ÿããçããèªãã§ãã ããã
ã©ã®ããã«ããŠãã°ãæ¢ãå§ããŸãããïŒ
2ã3幎åã«Bug Bountyã®ãããªçŸè±¡ã«ã€ããŠåŠã³ãŸããããMail.Ru Groupããã°ã©ã ã®éå§åã«å人çã«ã¯ééããŸããã§ããã ãããå§ãŸã£ããšããç§ã¯è©ŠããŠã¿ã䟡å€ããããšå€æããŸããã åœæãç§ã¯ãã®è·æ¥ã«ã€ããŠéåžžã«æççã§ããã誰ããå°ãªããšã1ãã«æ¯æãããšãæãã§ããŸããã§ããã
ããã€ãã®ãã°ãèŠã€ããŠãããã«å¯Ÿããæåã®å ±é ¬ãåŸãããšãã§ããããã«ããã°ã©ã ã§2äœã«ãªããŸããã ããã¯ç§ããã®åé¡ãçå£ã«åã䟡å€ããããšæã£ããšãã§ãã
ãããŠãããã1幎åã§ãããªãã¯ç§ãã¡ã®ããã°ã©ã ã§æãæåããç 究è ãšãªããHackerOneã§ã¯ããã20ã«å ¥ããŸããã ã©ãïŒ
ãã åŠã¶ããšããããŠãã¹ãŠã®ãã®ã
ãããŠãã©ã®ããã«å匷ããŸããïŒ
ã»ãšãã©ã®å Žåãç¹å®ã®è匱æ§ã説æããèšäºãŸãã¯ãã¬ãŒã³ããŒã·ã§ã³ãèªã¿ãŸãã ãã®ãããã¯ã«é¢ããæ¬ããªãœãŒã¹ãå匷ããŠããŸãã ç§ã¯ãããªã¬ããŒããmitapsãäŒè°ãèŠãŸãã ç§ã¯ä»ã®äººã®å ±åæžãå匷ããŸãã æ€çŽ¢ãšã³ãžã³ã§æ å ±ãæ¢ããŠããŸãã ç§ã¯å€§åŠã®åŠäœãååŸããŠããŸãããITãšã¯é¢ä¿ãããŸããã
ã©ã®ãããªçš®é¡ã®è匱æ§ã«å¯ŸåŠããŸããïŒ
ã»ãšãã©ããŠã§ãã§ãæ®ãã¯æ¥œãã¿ã®ããã ãã§ãã ããããããã¯ãã¹ãŠåæ©ã®åé¡ã§ãã ãã®ãããªç®æšãèªåã§èšå®ããå Žåããã©ãŠã¶ãäžæããããšãã§ããŸãã
æ£èŠã®ä»äºã¯ãããŸããïŒ
æ°žç¶çãªä»äºã¯ãããŸãããè匱æ§ã®æ€çŽ¢ãç§ã®äž»ãªåå ¥æºã§ãã
ããªãã¯äžäººã§åããŠããŸããããããšãããŒã ãšããŠåããŠããŸããïŒ ããŒã ãŸãã¯ã·ã³ã°ã«ã®ã©ã¡ãã®ã¹ããŒã ãããäžè¬çã§ããïŒ
ç§ã¯äžäººã§åããŸãã å€ãã®å Žåããã°ãã³ã¿ãŒã¯åç¬ã§åããŸãããããŒã ãæã çºçããŸãã
ããªãã®å žåçãªäžæ¥ã¯ã©ã®ãããªãã®ã§ããïŒ ãã°ãæ¢ãã®ã«ã©ããããã®æéãè²»ãããŸããïŒ
ããã¯ãã¹ãŠãæ°ãããããžã§ã¯ããžã®æåŸ ããããã©ããã«äŸåããŸãã ãããããæåŸ ç¶ã次ã ã«æ¥ããã倧ããªã¹ã³ãŒããæã€å€§èŠæš¡ãªãããžã§ã¯ãã«åºããããå Žåãè匱æ§ãæ±ããŠæããæ©ãŸã§ããªãŒãºããŠãæéãã©ã®ããã«é²ããã«æ°ä»ããªãããšããããŸãã ããããããã¯ãã£ãã«èµ·ãããŸãããéåžžãç§ã¯ããã«1æ¥çŽ3-5æéãè²»ãããŸãã
Bug Bountyããã®åå ¥ã®ã¿ã§ç掻ã§ããŸããïŒ
ééããªãå¯èœã§ããããã¹ãŠã¯ãã®åéã®ç¥èãæ€çŽ¢ã«è²»ãããæéãæ°ããèå³æ·±ããããžã§ã¯ããžã®æåŸ ããããŠæ¬åœã«ã¯ãŒã«ãªãã°ãèŠã€ããããšãã欲æ±ã«äŸåããŸãã çµå±ã®ãšããã1ã€ã®è匱æ§ã§1äžãã«ã皌ãããšãã§ããŸããããšãã°ã100ãã«ã§100åã¯ãªãã¯ãžã£ãã¯ãããªã©ã®ç»é²ãè¡ãããšãã§ããŸãã ã¡ãªã¿ã«ãã»ãšãã©ã®äŒæ¥ã¯ãã°ã®ä»£éããã«ã§æ¯æããããå±æ©ã«ããããã°ãã³ãã£ã³ã°ã®é¢é£æ§ã¯å€§å¹ ã«é«ãŸã£ãŠããŸãã
ãã°ãã³ã¿ãŒã¯å¹³åã§ããã皌ããŸããïŒ
åå ¥ã«ã¯éåžžã«å€§ããªã°ãã€ããããããšãç解ããå¿ èŠããããŸãã ããã¯å€ãã®èŠå ãäž»ã«ç 究è ã®çµéšãšã圌ããããã³ã°ã«ã©ãã ãæéãå²ããŠãããã«äŸåããŸãã å€ãã®äººããã°ããŠã³ãã£ããã°ã©ã ã«æã åå ããŸããããéã®ããã§ã¯ãªããå±¥æŽæžã匷åããããšããèå³ã欲æ±ããã§ãã åå ¥ãå°ãªãå¯èœæ§ãé«ãããšã¯æããã§ãïŒç¹ã«ã1åéãã®å©çã§ã¯ãªãã6ãæãŸãã¯1幎ãªã©ã®äžå®æéã®å©çãåŸãå ŽåïŒã
äžæ¹ããããçå£ãã€å®æçã«è¡ããã°ãã³ã¿ãŒãããŸãã æã«çŽ1äžãã«ã皌ãå人ãããŸãã ãããã50ãã«ã皌ã人ãããŸãïŒããšãã°ããã®ãããªãã°ãã³ã¿ãŒã®å人çãªäœéšã«ã€ããŠã®ç©èªïŒ My $ 50k Personal Challenge-Results ïŒã æ¯æã§ã¯ãªããå®æçã«éæå¯èœã§ãã äžéšã®ããããã³ã¿ãŒã«ãããšã圌ãã«ãšã£ãŠã¯æã«2äž5åãã«ã¯åé¡ã§ã¯ãããŸããã
ã¡ãªã¿ã«ãã©ã®ããã«ããŠãããã«å°éããŸããïŒ
ãã®ããã«ã¯ãå€ãã®æ·±å»ãªãã°ãéä¿¡ããå¿ èŠããããŸãã è©äŸ¡ã¯ãåçã®ã¬ãã«ã§ã¯ãªããèŠã€ãã£ãè匱æ§ã®ç·åçãªéèŠåºŠã«åºã¥ããŠæ§ç¯ãããŸãã ããã¯éšåçã«åçã«ã圱é¿ããŸããããã°ãæªåããã°ããã»ã©ã圌ãã¯éåžžãããã«å¯Ÿããæ¯æããããšããªããªããŸãã HackerOneã§ã¯ãå±éºãªè匱æ§ã®è©äŸ¡ã¯çŽ50ãã€ã³ããå¹³å-25ãæäœ-15ã§ããåç 究è ã®ãããã¡ã€ã«ã§ã¯ãç®è¡å¹³åè©äŸ¡ã確èªã§ããŸããããã¯åœ±é¿å€ã§ãã
䜿çšããããŒã«ã¯ã©ã®çšåºŠèªååãããŠããŸããïŒ
ããç¥ãããŠããBurp Suiteãšsqlmapã䜿çšããŸãã æãšé ã ãã§ãªã:)ã
ã©ã®ãããªãã°ããŠã³ãã£ããã°ã©ã ã«åå ããŠããŸããïŒ
ææãšç¡æã®äž¡æ¹ã§ããã¹ãŠã®ããã°ã©ã ã«åå ããããšããŸãã ãã¡ãããç§ã®ããã«æ¯æãããããšã¯åªå äºé ã§ãããããã«ãããããããç§ã¯ç¡æã®ããã°ã©ã ã«æ³šæãæããŸãã ããšãã°ãç§ã¯å ±å¥šããªãMail.Ru Groupãããžã§ã¯ãã«é¢ããè匱æ§ã¬ããŒããéä¿¡ããŸããã
åå ããããã°ã©ã ãã©ã®ããã«éžæããŸããïŒ
ããã¯ãã¹ãŠçŸåšã®ç¶æ³ã«äŸåããŸãã æ°ãããã©ã€ããŒãããã°ã©ã ã«æåŸ ãããå Žåããã®éžæã¯æããã§ããååãšããŠããã®ãããªãããžã§ã¯ãã®ã»ãã¥ãªãã£ã«ã¯ã¯ããã«å€ãã®ãç©Žããããããããã¯ããè¿ éãã€ç°¡åã«æ€åºãããŸãã
ãããŠãé·ãéæåŸ ãããŠããªãå Žåãä»ã®ç 究è ããã°ãèŠéãå¯èœæ§ãé«ã倧èŠæš¡ãããžã§ã¯ãã奜ãã§ãããã ãŸãã¯ãããç¥ãããŠãããããžã§ã¯ãã«æ»ã£ãŠãããã€ãã®ããšãåçºèŠããããšãã§ããŸãã
ãã©ã€ããŒãããã°ã©ã ãšã¯äœããèªè ã«èª¬æããŸãã
Private Bug Bountyã¯ãå ¬ã«çºè¡šãããŠããªãããã°ã©ã ã§ãããå瀟ã¯ãã°ãã³ã¿ãŒã®éããããµãŒã¯ã«ã®ã¿ãæåŸ ããŸãã ããã«ãããæãçµéšè±å¯ã§é©åãªãã¹ã¿ãŒãéžæããŠããã¹ã¿ãŒã®æ°ã調æŽã§ããŸãã ãããžã§ã¯ãã®è匱æ§ããŸã æ€çŽ¢ãããŠããªãå Žåã¯ããã©ã€ããŒãããŒãžã§ã³ããéå§ããç¹å®ã®ä¿¡é Œã§ãã人ãæåŸ ããããšããå§ãããŸãã ãããŠãäž»èŠãªãã°ãèŠã€ãã£ãããå šå¡ãè匱æ§æ€çŽ¢ã«æåŸ ã§ããŸãã
圌ãã¯ã©ã®ããã«ããŠãã©ã€ããŒãããã°ã©ã ã«åå ããŸããïŒ
ç§ã®ç¥ãéããHackerOneã¯ã©ã³ãã ã«æåŸ ãããŠããŸãã ãã¡ãããæåã«å ¬éããã°ã©ã ã§äœããã®è©äŸ¡ãããå¿ èŠããããããããæåŸ ãéå§ããŸãã å®å šã«æ°ããå Žåã¯ããã©ã€ããŒãããã°ã©ã ãžã®æåŸ ãåããæ©äŒã¯ãããŸããã
HackerOneããµã€ããšããŠé åçãªã®ã¯ãªãã§ããïŒ åœŒã«ã¯éžæè¢ããããŸããïŒ
çŸæç¹ã§ã¯ã HackerOneãšBugcrowdã®ããã°ã©ã ã«åå ããŠããŸãã ããã2ã€ã®ãµã€ããæ¯èŒãããšãHackerOneã¯ç§ã«ãšã£ãŠããé åçã§ãã
ãŸããã¬ããŒãã·ã¹ãã èªäœãã¯ããã«äŸ¿å©ã§ããã¬ããŒããçŸããäœæããä»ã®ç 究è ãå©çšã§ããããã«ããããšãã§ããŸãã ã¬ããŒãã®åã³ã¡ã³ãã«ç°ãªããã¡ã€ã«ãæ·»ä»ã§ããŸãã ããããBugcrowdã§ã¯ãã¬ããŒããéä¿¡ãã圢åŒããããã«ããããããã¶ã€ã³ããããšã¯ããŸããããŸãããã¬ããŒãã«ã¯ãã¡ã€ã«ãæ·»ä»ã§ããŸãããã³ã¡ã³ãã«ã¯æ·»ä»ã§ããŸããã
第äºã«ãããå€ãã®å€§äŒæ¥ãHackerOneãšååããŠããŸãã ãããäžæ¹ã§ãç§ã¯ãã°ãã°HackerOneããã§ã¯ãªãBugcrowdãããã©ã€ããŒãããã°ã©ã ãžã®æåŸ ç¶ãåãåããŸãã Bugcrowdã«ã¯ãã¢ã¯ãã£ããªç 究è åãã®å ±é ¬ã·ã¹ãã ããããéåžžã«åªããŠããŸãã
äž¡æ¹ã®ãµã€ãã§ã®ãµããŒããµãŒãã¹ã¯è¯å¥œã§ãããã質åã«åãã§ãçãããŸãã æ¯æãã¯äž¡æ¹ã®ãµã€ãã§åé¡ãªãè¡ãããŸãã ãããã®ãªãœãŒã¹ã¯ã©ã¡ããç 究è ã«ãšã£ãŠæçã§ããã泚ç®ã«å€ããŸãã
HackerOneã®å ¬éé瀺æ©èœã䜿çšããŠããŸããïŒ
ã¯ããããããã£ãã«ãããŸããã ç§ã¯é ããŸããããä»ã®äººã®ãªãŒãã³ãªã¬ããŒããåãã§èªã¿ãŸãã
ç©è°ãéžãåé¡ã¯ãããŸããïŒ
ããŸã«ã ããšãã°ãåãã¿ã€ãã®è€æ°ã®ãã°ã1ã€ãšããŠã«ãŠã³ãããã1ã€ã ãã®æ¯æããè¡ãããå Žåãæ®ãã®ã¬ããŒããéããŠã1ã€ã®ä¿®æ£ã§ããã€ãã®è匱æ§ãä¿®æ£ããããšäž»åŒµããŸãã ããªãã¯ããã確èªããããšã¯ã§ããŸããããäžèšãšããªããã°ãªããŸããã å ±ååŸãã°ããããŠããã»ãã¥ãªãã£ããŒã ããã°ã®åçŸãè©Šã¿ãŸããããã°ã¯æ¢ã«éçºè ã«ãã£ãŠä¿®æ£ãããŠããå ŽåããããŸãã ãã®ãããªå Žåãã¬ããŒãã«ãããªãæ·»ä»ãããŠããªããã°ãäœãã蚌æããã®ã¯åé¡ã§ãã
æ°ã¶æåããã°ã®ããæ©èœãåçŽã«æ¶ããŠããŸãã±ãŒã¹ããããŸããã åœç¶ãã»ãã¥ãªãã£ããŒã ã¯ãã°ãåçŸã§ãããã¬ããŒããéããŸããã ãããŠãã»ãã®æ°æ¥åã«ããã®æ©èœã埩掻ããããšã«æ°ã¥ããã®ã§ãã»ãã¥ãªãã£ããŒã ããã®ç¢ºèªãåã³åŸ ã£ãŠããŸãã
ããªããå ±åãããã°ã«å¯ŸããŠäŒæ¥ãæ¯æããããªãã£ãããšããããŸãããïŒ
é倧ãªè匱æ§ãéä¿¡ããããã€ãã®ã±ãŒã¹ããããŸãããããããã¯ããã°ã©ã ã®å¯Ÿè±¡å€ã®ãããžã§ã¯ãã«é¢é£ããŠããŸããã 圌ãã¯ä¿®æ£ããããããããšãããšèšãããŸããã ãããããã°ãç¯å²å€ã§ããããšã¯äºåã«æããã ã£ãããã誰ããéé£ããæå³ã¯ãããŸããã
å ±é ¬ãæ¯æããªãããã°ã©ã ã«ã€ããŠã©ãæããŸããïŒ
ããã°ã©ã ãéå§ããäŒç€Ÿã«ãã£ãŠç°ãªããŸãã ãããäœããã®ã¹ã¿ãŒãã¢ããäŒæ¥ãéå¶å©çµç¹ã§ããå Žåãç§ã¯åœŒãã«æéãäžããäœã䟡å€ã®ãããã®ãèŠã€ããããšããŸãã
ãããè«å€§ãªåå ¥ã®ããäŒç€Ÿã§ããã°ãå°ãªããšãå¥åŠãªããšã«ã圌ãã¯å ±é ¬ãæäŸããŠããªãããã«æããŸãã
ãã ããä»ã®ãŠãŒã¶ãŒãšåæ§ã«ãããŒã¿ãå®å šã«ä¿ã¡ããµã€ããŒç¯çœªè ã«ååãããå±éºããªãããã«ããŠãã ããã ãããã£ãŠãç§ã¯äœããã®çç±ã§å ±é ¬ãæ¯æãããšãã§ããªããµãŒãã¹ã®ãŠãŒã¶ãŒãä¿è·ããããšããŸãã ãã¡ãããå¯èœãªéãå€ãã®è匱æ§ãèŠã€ããããã«ã補åã«ããŸã觊ããŸããã ããããå人çã«ã¯ãããŸãæéãå¿ èŠãšããªãç°¡åãªãã°ãããã€ãèŠã€ããŠéä¿¡ããŸãã
å€ãã®ãããç 究è ã¯ãã®ãããªå©ä»äž»çŸ©è ã§ã¯ãªããããªãŒãœãããŠã§ã¢ãæ±ãããšã¯ãŸããããŸããã äžéšã¯æ£ããã ããããæçµçã«ã¯ãŠãŒã¶ãŒã«ã€ããŠèãããŠãŒã¶ãŒã®å©çãä¿è·ããããã«å°ãªããšãå°ãè²¢ç®ããå¿ èŠããããšæããŸãã
ããªãã®ç·Žç¿ã®äžã§æãèå³æ·±ããã°ã«ã€ããŠæããŠãã ããã
èå³æ·±ããã°ãããã€ããããŸãããããããHackerOneã§æåŸã«éããããçŽ3äžã®Webãµã€ãïŒäž»ã«äŒæ¥ïŒã®è匱æ§ãåŒãèµ·ãããhackerone.com/reports/111440ã«ã€ããŠã話ããŸãã
Zendeskã®ãã°ãæ¢ãããšã«ããŸããã ãã®ããã°ã©ã ã¯é·ãééå§ãããã¡ã€ã³ããŒãžwww.zendesk.comã®å 容ã泚ææ·±ã調ã¹ãŠã詳现ãåæããŸããã åœæç§ã«ã¯ç¥ãããŠããªãfast.wistia.comãœãŒã¹ã®ãããªã«èå³ããããŸããã
ãŸããããŒãžã«ã¯fast.wistia.comã䜿çšãããµãŒãããŒãã£ã®ã¹ã¯ãªãããããããããªãå¶åŸ¡ããDOMãæäœãããããªã«é¢ããããŒã¿ãããŒãããŸããã ãã®ã¹ã¯ãªããã®å¹æãæ éã«æ€èšããçµæãfast.wistia.comããJSãã¡ã€ã«ãè¿œå ã§ããŒãããŠå®è¡ã§ããããšã«æ°ä»ããŸããã ãã®å Žåãå®è¡å¯èœãã¡ã€ã«ã®ãã¹ãååãæ¡åŒµåãå®å šã«å€æŽã§ããŸãã ãããŠãæªæã®ãããã¡ã€ã«ãããŠã³ããŒãããŠå®è¡ããããšãã§ããããZendeskã®åŽã§ä»»æã®ã¹ã¯ãªãããå®è¡ã§ããŸãã ãããŠãç§ã¯ãã®ãããªæ©äŒãæ¢ãå§ããŸããã
å€ãã®æéãè²»ãããŠãç§ã¯ç¹ã«fast.wistia.comã«ãã¡ã€ã«ãã¢ããããŒãã§ããªãããšã«æ°ä»ããŸããã 次ã«ãfast.wistia.comãžã®ãªã¯ãšã¹ãã«æ³šç®ãããµãŒããŒããã®å¿çãæäœã§ããJSONPãªã¯ãšã¹ãã«æ°ä»ããŸããã ãã®ãã°ãæåã®ãã°ãšçµã¿åãããããšã§ãJSONPå¿çãæªæã®ããJSã¹ã¯ãªãããšããŠæ瀺ããããšãã§ããŸããã ãããŠãç§ãããããã£ããšãããã®åé¡ã¯Zendeskã ãã§ãªããShopifyã§ãã¹ããããŠããèšå€§ãªæ°ã®åºèãèšå€§ãªæ°ã®WordPressãšTumblrã®ããã°ãå€ãã®äŒæ¥ãŠã§ããµã€ããç¬èªã®10瀟ã»ã©ã«åœ±é¿ãåãŒããŠããããšã«æ°ä»ãå§ããŸããBug Bountyããã°ã©ã ãããã³Wistiaèªäœã Webãµã€ãã«Wistiaãããããªãæçš¿ããã»ãŒå šå¡ãããã®è匱ãªã¹ã¯ãªãããè¿œå ããŸããã
ç§ãæåã«èšã£ãã®ã¯ãWistiaã®æ¯æŽã§ããã 1æ¥åŸ ã£ãåŸãç§ã¯å¥ã®æçŽãæžããçŽ1æéåŸã«æ å ±ãéçºè ã«éä¿¡ãããããšã確èªããŸããã ããã«2æ¥ãçµéããŸãããããã°ã¯ãŸã ä¿®æ£ãããŠããŸããã ãã¡ãããä»ã®äŒæ¥ã®è©å€ãæ»æãåããŠããããã2æ¥ã¯çãæéã§ããããã®ãããªãã°ã§ã¯ãããŸããã
ãã°ã«èª°ãé¢äžããªãããšãæããã«ãªãïŒåŸã§ç§ãæ£ãããšå€æããïŒãWistiaã«é£çµ¡ããããšãæåŸ ããŠä»ã®äŒæ¥ã«å ±åãå§ããŸããã ã¬ããŒããZendeskã«éä¿¡ããŸãããã圌ãã¯äœãå©ãããããWistiaããã®åé¡ã解決ãããŸã§åŸ ã€ãšèšããŸãã...ã·ã§ãã¯ããããŠ...ãããŠãShopifyãTrelloãAutomatticïŒWordPressïŒã«ã¬ããŒããéä¿¡ããŸããã ãããã®äŒæ¥ã®ããŒã ã¯ãWistiaãåŸ ããã«ãç¬èªã®ãã£ãã«ãéããŠWistiaã«é£çµ¡ãããªã©ãåé¡ãç¬èªã«è§£æ±ºãå§ããŸããã ãããŠãèŠãã圌ããWistiaã«é£çµ¡ããŠããã¡ããã©1æéåŸã«ããã°ãä¿®æ£ãããŸããã
æãèå³æ·±ãè匱æ§ã¯ãå¿ ãããæãé«äŸ¡ã§ããïŒ
ãã ãããããåç 究è ã¯ãã®ãããªãã°ãåãåã£ãããäºæ³ãããå°ãªããããŸã£ããåãåã£ãŠããªããããããªãããä»ã®ç 究è ã¯ããããé«ãè©äŸ¡ããã BlackFanãææãããã®ãããªäŸã®1ã€ã¯ã hackerone.com / reports / 14883ã§ãã
è匱æ§æ€çŽ¢ããã°ã©ã ã¯ãæ¬åœã«ã¯ãŒã«ãªãã°ãèŠã€ããã®ã«åœ¹ç«ããªããšããæèŠããããŸãã 圌ã«åæããŸããïŒ
ãã®æèŠã¯ãäžé©åãªã¬ããŒããéä¿¡ããŠç¡æã§ãéã皌ããããšããå€ãã®äººã ã®ãããã§åœ¢æããããšæããŸãã ã€ã³ã人ã¯ããã§ç¹ã«æåã§ãïŒåœŒãã®äžã«ã¯éåžžã«æèœãªäººãããŸããïŒã ãããŠããã®ãããªãžã£ã³ã¯ã¬ããŒããå€æ°ãããšããèæ¯ãããããŒã ã¯Bug Bountyã®æå¹æ§ã«ã€ããŠèãå§ããŸãã å€ãã®å Žåãæ¬åœã«äŸ¡å€ã®ããããŒã¿ãåŸ ããã«ããŸãã¯åã«èšå€§ãªæ°ã®ã¬ããŒãã«ownããã«ãããã°ã©ã ã¯éããããŸãã
ãã°ããéã®å©ç-ããªãã«æåã«æ¥ããã®ã¯äœã§ããïŒ ããªãã¯ééããªãäœããã®åå ¥ãããããæ æã«éå±ãªãã°ã§å¿ãããªããŸããïŒ
ç§ã¯èå³æ·±ããã°ã ãã«çŠç¹ãåãããŠããŸããã ãããåæã«ãç§ã¯å©çãè¿œæ±ããããšã«ã€ããŠäœãå ±åããŸããã ç§ã¯ãã¯ãªãã¯ãžã£ãã¯ããããããäžã®é倧床ã«é¢ããŠã¯ã»ãšãã©èªããŸããã 第äžã«ãç§ã¯ç¢ºãã«éè€ã«ã¶ã€ãããåã«æéãç¡é§ã«ããããã§ãã第äºã«ããã¹ãŠã®äŒæ¥ããã®ãããªå ±åãåãå ¥ããããã§ã¯ãããŸããã
åå¿è ã®ãã°ãã³ã¿ãŒã«ã©ããªã¢ããã€ã¹ãããŸããïŒ
ãŸããè匱æ§ããã°ããèŠã€ãã確çã¯ãããã°ã©ã ãåäœããŠããæéã«åæ¯äŸããããšãç解ããå¿ èŠããããŸãã æè¯ã®æŠç¥ã¯ã1ã€ã®ããã°ã©ã ã«é·ããããããããå¥ã®ããã°ã©ã ã«åå ããããšã§ãã
ããã«ãããããããç§ã¯ããªãé·ãéå ±åãåããŠããŠãè匱æ§ãæ€åºããå¯èœæ§ãéåžžã«äœããã°ããŠã³ãã£ã«åå ãããšããç§ã¯å¯èœãªéã補åãç¥ããä»ã®äººãè¡ãã®ã«æéãããã£ãŠããªãå¯èœæ§ãæãé«ãæ©èœãèŠã€ããããšããŸãã ãŸãã¯ãç解ãã«ãããã®ãæ¢ããŠããŸãããããã¯ä»ã®ç 究è ã«ã¯èŠèœãšãããã¡ã§ãã ç§ã¯ã©ããªå°ããªããšãèŠå€±ããªãããã«ããŸãã ããã«ã¯æéãããããå¿èãšå¿èãå¿ èŠã§ãã
ãã°ã®åŠçæ¹æ³ã®åŠç¿ãéå§ã§ããŸããCSRFãXSSãSQLiãªã©ã®åçŽãªè匱æ§ããå§ããŠãå žåçãªåã»ãã¥ãªãã£ãšã©ãŒãåå¥ã«ç¢ºèªããŸãã ããããã«ã€ããŠè³æãåéããŸãã YouTubeã§æ€çŽ¢ãéå§ããã ãã§ååã§ããã䟿å©ãªãã®ããããããããŸãã
å€ãã®åªããèšäºãHabréã«æ²èŒãããŠãããèå³æ·±ãæ¬ãžã®åç §ãèŠã€ããããšãã§ããŸãã äŸïŒ
- æ å ±ã»ãã¥ãªãã£ãšããã°ã©ãã³ã°ã«é¢ãã2014幎ã®å¿ èªã®æ¬
- æ å ±ã»ãã¥ãªãã£ã«é¢ããæžç±ã IBã«è¿ã¥ã
- ãµã€ããŒã»ãã¥ãªãã£ã«é¢ããæžç±ïŒå°é家ããã®5ã€ä»¥äžã®æšå¥šäºé
ä»ã®äººã®å ¬éãããã¬ããŒããèªãããšãæçšã§ãã ãããããã¬ãŒãã³ã°ãåæ¢ããŠã¯ãªããªãããšãå¿ããªãã§ãã ããã ãã¯ãããžãŒã¯å€åããäœããæ代é ãã«ãªããæ°ãããã®ãå€ããã®ã«åã£ãŠä»£ãããç§ãã¡ã¯ããã«åŸãå¿ èŠããããŸãã
äžè¬çã«ãBug Bountyãšãªã¢ã®ãã¬ã³ãã¯ã©ããªã£ãŠãããšæããŸããïŒ 2016幎ã«ã¯äœãåŸ ã£ãŠããŸããïŒ
æ°å¹ŽåãBug Bountyã¯çãããã®ã§ããããä»ã§ã¯ãã®ãããªããã°ã©ã ãéãããšã¯ãã¬ã³ãã§ãããHackerOneãªã©ã®ãµã€ãã«æ¥ãäŒæ¥ãå¢ãããšäºæ³ã§ããŸãã ãã©ã€ããŒãããã°ã©ã ã¯ãŸããŸãéèŠãå¢ããã§ãããã Bugcrowdã«ã¯ããã©ã€ããŒãããã°ã©ã çšã®æ°ãã圢åŒããããŸããäºç®ãšè³éãéãããŠãããã¬ãã¯ã¹ããã°ã©ã ã§ãã äŒæ¥ã¯ããããæ°ã«å ¥ã£ãŠãããåŸã ã«äººæ°ãåºãããã«æããŸãã