Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fransr/bountyplz

Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
https://github.com/fransr/bountyplz

Last synced: 7 days ago
JSON representation

Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)

Lists

README 

        
# bountyplz – automated security reporting from markdown templates



### description



This is a project created by [Frans Rosén](https://twitter.com/fransrosen). The idea is to be able to submit a report without any interaction. It's taking advantage of all features the existing site has, such as attachments, inline images, assets, weaknesses and severity.



bountyplz supports submitting to HackerOne and Bugcrowd.



bountyplz will sign in to HackerOne or Bugcrowd and keep the session, create a draft and submit the report, all in one step. It also supports 2FA, if this is enabled on your HackerOne- or Bugcrowd-account.



HackerOne:





Bugcrowd:





### install



```

brew install jq

brew install gnu-sed

brew install coreutils



ln -fs "$(pwd)/bountyplz" /usr/local/bin/bountyplz

```



### usage HackerOne `h1`



Place `.env` with `HACKERONE_USERNAME` and `HACKERONE_PASSWORD` next to the binary.



```

bountyplz h1  

```



`-p` for preview


`-d` for draft-only


`-f` for force



### usage Bugcrowd `bc`



Place `.env` with `BUGCROWD_USERNAME` and `BUGCROWD_PASSWORD` next to the binary.



```

bountyplz bc  

```



`-p` for preview


`-d` for draft-only (will upload files but not save any draft as this is currently not supported on Bugcrowd)


`-f` for force



### howto



Write report in markdown, use frontmatter for attributes for the report. The title of the report will be taken from the content's first #-header.



```md

---

severity: high

weakness: xss reflected

asset: example.com

---



# Report title



Report description

```



The following attributes are currently supported:



| key   | type | desc |

|-------|------|---|

|`asset`|string|will be matched against the list of assets for the program|

|`weakness`|string|will be matched against the list of weaknesses for the program. |

|`attachments`|json-array|list of files that should be attached. `["test.jpg","test2.jpg"]`
if images and videos are used inline, these does not need to be in this list|

|`url`|string|bug URL (BugCrowd only, not required)|

|`severity`|string|`none, low, medium, high, crical` (HackerOne only)|



When the report is submitted, an additional `report`-attribute will be added to the markdown with the reference URL for the report. This is to make sure the same report is not submitted twice.



`asset` and `weakness` will try to match against the list of available options. If multiple results are found, a list will be shown to select the right one:






### impact



For HackerOne, if any header with the word `impact` exist in the report, the report will be split in half and the content after Impact will be inserted in the Impact-field. If no Impact exists in the report, the Impact field will only contain a `#` rendering it empty.



```md

---

asset: example.com

---



# Report title



Report description



### impact



This will be in the impact field.

```



For Bugcrowd, the whole report will be inside the Description-field.



### inline attachments



When referring to images or videos inside the report, use this format: ``



Every image or video element containing ` {} \; -o -quit \)

```