TL;DR Hackerone ( declined to resolve the problem which was explicitly said to be in scope. The reason for that is that they forgot to delete that from scope.

Original post

Hackerone has a bug bounty platform where you can earn free invites to private programs. As of 12.12.18 the program rules said that

All outbound connections from CTF vulnboxes should be banned. If you find a way around this, we would to hear about it.


I exploited an RCE in one of the tasks, uploaded a simple Python script and resolved, which proves that there is a way round the deleted dig and nslookup tools.

I wrote a Python script for exploiting a RCE to perform DNS resolution, filled up a report and sent to Hackerone. However, one of the Hackerone co-founders declines to resolve the report as the rules were not supposed to show any interest in bypassing network restrictions

Moreover, the problem was fixed.

UPD: the problem was not fixed, that is my fault here (~ 27.01.2019 - 8.45PM UTC+0)

Although i personally agree that these types of problems don't posess any risk, they were explicitly said to be in scope of the program, promising monetary reward. However, it was claimed to be an error in the policy which allows the program not to accept the problem.

UPD: i was pointed out that in fact this allows miners to be run. To proxy the data, iodine can be used. So this is a direct "in scope" problem (~ 27.01.2019 - 8.45PM UTC+0)

Hackerone used to be the state of art bug bounty program for me as they resolved the smallest issues (logins bruteforce). However the tables turned. The position looks pretty much absurd for me:

  1. Our own errors are OK not to be accepted
  2. It is OK to close all the reports which used to be in scope, but now they don't (see point 1)
  3. So what that you spent a couple of hours on trying to create a beautiful PoC and then be declined because of OUR mistake

For instance, Uber did accept their error and rewarded Terrek Siddiki in this report

Update (27.01.2019 - 9.58PM UTC+0)

I find it necessary to sum up the whole twitter discussion.

  1. The network problem was in scope
  2. The scope was NOT supposed to have that, but it did
  3. Turns out RCE + network grant a real miner possibility, which was also in scope but was not noted by me in the initial report
  4. I failed at rechecking the network problem and claimed it was fixed (i blame myself for that). However this does not cancel the fact that the original report was defined as "in scope" in the policy
  5. @jobertabma granted swag - thanks for that
  6. Jobert's point is that policy did contain an error, but it does not mean the bug should be accepted
  7. My point is that the report is fully compliant with the original scope: it allows RCE, remote connection and a miner as a result
  8. The topic is closed