Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/fransr/bountyplz

Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
https://github.com/fransr/bountyplz

Last synced: 17 days ago
JSON representation

Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)

Awesome Lists containing this project

README

        

# bountyplz – automated security reporting from markdown templates

### description

This is a project created by [Frans Rosén](https://twitter.com/fransrosen). The idea is to be able to submit a report without any interaction. It's taking advantage of all features the existing site has, such as attachments, inline images, assets, weaknesses and severity.

bountyplz supports submitting to HackerOne and Bugcrowd.

bountyplz will sign in to HackerOne or Bugcrowd and keep the session, create a draft and submit the report, all in one step. It also supports 2FA, if this is enabled on your HackerOne- or Bugcrowd-account.

HackerOne:

Bugcrowd:

### install

```
brew install jq
brew install gnu-sed
brew install coreutils

ln -fs "$(pwd)/bountyplz" /usr/local/bin/bountyplz
```

### usage HackerOne `h1`

Place `.env` with `HACKERONE_USERNAME` and `HACKERONE_PASSWORD` next to the binary.

```
bountyplz h1
```

`-p` for preview

`-d` for draft-only

`-f` for force

### usage Bugcrowd `bc`

Place `.env` with `BUGCROWD_USERNAME` and `BUGCROWD_PASSWORD` next to the binary.

```
bountyplz bc
```

`-p` for preview

`-d` for draft-only (will upload files but not save any draft as this is currently not supported on Bugcrowd)

`-f` for force

### howto

Write report in markdown, use frontmatter for attributes for the report. The title of the report will be taken from the content's first #-header.

```md
---
severity: high
weakness: xss reflected
asset: example.com
---

# Report title

Report description
```

The following attributes are currently supported:

| key | type | desc |
|-------|------|---|
|`asset`|string|will be matched against the list of assets for the program|
|`weakness`|string|will be matched against the list of weaknesses for the program. |
|`attachments`|json-array|list of files that should be attached. `["test.jpg","test2.jpg"]`
if images and videos are used inline, these does not need to be in this list|
|`url`|string|bug URL (BugCrowd only, not required)|
|`severity`|string|`none, low, medium, high, crical` (HackerOne only)|

When the report is submitted, an additional `report`-attribute will be added to the markdown with the reference URL for the report. This is to make sure the same report is not submitted twice.

`asset` and `weakness` will try to match against the list of available options. If multiple results are found, a list will be shown to select the right one:

### impact

For HackerOne, if any header with the word `impact` exist in the report, the report will be split in half and the content after Impact will be inserted in the Impact-field. If no Impact exists in the report, the Impact field will only contain a `#` rendering it empty.

```md
---
asset: example.com
---

# Report title

Report description

### impact

This will be in the impact field.
```

For Bugcrowd, the whole report will be inside the Description-field.

### inline attachments

When referring to images or videos inside the report, use this format: ``

Every image or video element containing ` {} \; -o -quit \)
```