It all starts with your organization putting up the program on HackerOne and someone spreading the word. Some CPU in an isolated and cold data center of HO would crack up and it will unravel a new world to you.
People will try to brute force your login and sign up process. Have you been waiting to scale up your postgres server? You won’t be able to avoid it tonight.
Number of failed and successful logins (CC BY-NC 2.0)
Good monitoring setup would shine in days like these. You set up rate limit to avoid the next sweep of login attacks. Similar scripts will try to suck the breath of your app whenever they find a 500 Internal server error. Your logger would set new records for the number of errors logged in a day and flood your slack channel integrated with the logger bot. Things will calm down once you start to fix them one by one.
ArgumentError (string contains null byte)
will haunt your dreams. You introduce rack-utf8_sanitizer in hopes that you would not see them again, but they never really go away(rails/rails#26891).
Blessed be the day when you receive the report of XSS attack which existed right under your nose. You would get to co-ordinate a fix in a gem you used since you were still fumbling with your lamdas and procs. You will feel smart, however it won’t last very long because now you find out that CSRF token validation can be bypassed on your app. Rails 4 introduced with: :exception
option for protect_from_forgery and switched to using it in its templates when :null_session
was still the default argument. Do you too dream of a day when a rail’s major update will be as easy as minor ones?
Being an open source community, it is possible that you will lose pace. Duplicate reports would start to pile up because hackerone reporters share bugs among themselves once the original report is filed. Are you a bad person to think that hackerone community has some growing up to do?
Meanwhile, your password reset token has been leaking to third party websites through referer header. Which is a bit worse than it sounds because those tokens may not expire on clearance. You let the experts know because some fixes would be more complicated than others. Always check caniuse before you are dazzled by something new and shiny. I hope you didn’t forget to reset all your user’s :confirmation_token
.
While introspection, you will look back at OWASP top 10 cheat sheet and agree that the list is very real. Hopefully, you will ask yourself why aren’t more people participating in programs like this. Why are the cockroaches having a party as if you aren’t even home.
bugville by lady-traveler (CC BY-NC 2.0)
It is a reasonable assumption to make that your grocery shop works securely while delivering all the ingredients you need for your next award winning soup.
It would almost break your heart when you turn away reporters with a mere thank you note because you don’t pay bounty for rubygems.org. You don’t have the money for it. Reporters would beg you to reconsider and all you would say is
Only issues within the rubygems client library are eligible for a bounty.
Did you know that you and your company could help?