HackerOne is complete garbage. I spent close to a month digging into Uber and compromised their m.uber.com mobile endpoint; they hemmed and hawed and then awarded the $25K to another HackerOne top performer stating that he had discovered the exact same vulnerability the day before I had submitted the report.
What's weird about it is that I was using Burp Proxy for everything, and this guy was directly connected to PortSwigger (and Uber was running some promotional for a free three month license for Burp Proxy).
HackerOne completely sided with Uber on everything, gave the Portswigger kid $25K and that was that.
So, in summary: HackerOne is trash, and Burp Proxy may contain backdoor functionality which is relayed directly back to Portswigger whenever a high value critical vulnerability is discovered with it.
> Uber was running some promotional for a free three month license for Burp Proxy
This is flat out wrong - the promotional partnership was done with HackerOne.
> What's weird about it is that I was using Burp Proxy for everything...
Burp Suite is used by tens of thousands of security experts and if we posted vulnerability data back we would get caught in about ten seconds. Also it would be stupid and illegal etc
Could you share the username of this 'Portswigger kid'? As far as I know I'm the only person here that does bug bounty hunting, and I've never received a 25k payout off Uber. So I'm wondering if this person is actually affiliated with PortSwigger at all.
Either Uber lied about this guy discovering the flaw so they didn't have to pay me, or Burp Proxy is sending telemetry back to Portswigger with high value vulnerabilities being discovered with the platform. I worked with nobody on this attack, I shared no information with anyone else, and submitted a remote execution vulnerability using HackerOne's supposedly secure triage system.
I wrote it all up on Medium, it got close to 400K reads over the 2018 Christmas holiday with many other stories in a similar vein related to incompetence in their security group. HackerOne is worthless, a scam unless you are full time working for them on bug bounties and already connected with their top ranked researchers.
The triage was escalated to Rob Fletcher and Uber's security liaison Lindsey Glovin. You're right, Portswigger was running a promo with HackerOne. After I submitted a couple of different vulnerabilities, they then locked all of my reports and gave the $23,000 bounty award to "shubs (notaffy)"
These were three critical vulnerabilities on the m.uber.com endpoint; I was able to bypass their WAF and XSS_Auditor protections followed by demonstrating reflected SSL'ized XSS under *.uber.com certificate and remote javascript execution capability.
Bah there are several closed source plugins for Burp Proxy that are binary only and which constantly relay telemetry data back to Portswigger. I stopped using it for this exact reason, due to Burp Proxy's constant communication back to Portswigger. And the only thing that would need to be relayed back to Portswigger would be high value vulnerabilities that have been discovered.
Which would be trivial to implement as a covert channel in Burp Proxy's update process or any one of another methods of obfuscating and tunneling that data back to Portswigger.
What would you expect HackerOne to do in the situation you describe? You filed a duplicate report. All of the malfeasance you allege is coming from Portswigger.
No idea which one it was, or both. 23K isn't something to sneeze at though, and would be plenty of incentive for the folk at Portswigger to work with douchebags like whoever this shubby dude is in order to collect these bounties.
24K for one bounty... or sell $299 licenses to nerds.. hmm, which one is more profitable...
What's weird about it is that I was using Burp Proxy for everything, and this guy was directly connected to PortSwigger (and Uber was running some promotional for a free three month license for Burp Proxy).
HackerOne completely sided with Uber on everything, gave the Portswigger kid $25K and that was that.
So, in summary: HackerOne is trash, and Burp Proxy may contain backdoor functionality which is relayed directly back to Portswigger whenever a high value critical vulnerability is discovered with it.