Our First Bug Bounty: $100 for Firefox “Grey Screen” Bug

Hello Everyone,

We are proud to announce our first Bug Bounty today: the Firefox “Grey Screen” Bug – with a reward of up to $100!  (This bounty has now been CLAIMED. See below)

What is a Bug Bounty?

As per Wikipedia, a Bug Bounty is “a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.”. In this case, our ‘bug bounty’ is focused around finding a reliable way to reproduce a troublesome bug that’s been causing a lot of headaches for our developers: a ‘grey screen’ shown when using Firefox to visit Furry Network:

fnet_firefox_grey_screen.jpg

Bug Bounty Status

This Bug Bounty has been claimed by Forfaox. Congratulations, and thank you for your help!

We first announced the Bounty at 12:20pm MST, and had our first solution just over 3 hours later at 3:47pm. After thorough testing, we confirmed that this entry was valid at 7:30pm – a turnaround time of just 7 hours. The power of crowdsourcing!

A full write-up with details of this issue will follow, once we’ve made the fixes. Keep an eye on our next regular scheduled code update!

Last updated Sunday, Jan 10th at 7:30pm

What are we looking for?

For the partial bug bounty of $50, we are seeking we are seeking full, accurate steps to reproduce the “grey screen” that appears when a Firefox user running Windows visits Furry Network.

For the full bug bounty of $100, we are seeking a pre-made virtual machine running Windows that will reproduce the “grey screen” that appears when a Firefox user visits Furry Network. To get this full amount, we would require a VMWare (or similar) virtual machine image able to reproduce the error reliably and consistently in a typical user environment, together with instructions on how you were able to reproduce the error (eg, what you installed, and in what order).

How do I submit?

To submit, please send an email to bugbounty [at] furrynetwork [dot] com with your name, Paypal address (or mailing address if you’d prefer a mailed check), and the details of your entry:

  • The name you’d like us to use to refer to you (nicknames/aliases are fine)
  • PayPal address to send payment to (or for check, name to make check payable to, and US mailing address)

For the $50 bounty, please provide:

  • In plain english, what combination of software causes the problem
  • (Optional:) If known, why the problem occurs. Please note we’re trying to reproduce the problem and why it only happens to firefox sometimes, not the exact line of code / syntax error to blame.
  • Exact versions of software used (including operating system, patches and 3rd party software)
  • Full, detailed steps to reproduce the error, starting with a fresh install of Windows (please note, doing this on your existing OS install won’t count – we’ve had plenty of people’s existing machines affected, we need to reproduce it ourselves from scratch)
  • A screenshot of the problem you’ve reproduced

For the $100 bounty, please provide:

  • All of the items listed above for the $50 tier, plus:
  • A virtual machine image in a format we can use. (We recommend a zipped VMWare disk image, complete with .vmx configuration file – OVF files are handy, too).

What will I get in return?

You’ll get between $50 and $100, our unending thanks, and public recognition for your good deed on the post announcing a fix for the bug. What’s more, is you’ll get the good vibes knowing that you helped thousands of other people get to experience Furry Network on their preferred browser – Firefox!

Rules & Small Print

  • All submissions must be made via email to bugbounty [at] furrynetwork [dot] com, including all requested information above, in your initial email. Download links to virtual machines are acceptable.
  • The first valid entry which satisfies the above requirement will claim the Bug Bounty. As soon as reasonably possible after our staff has verified the suitability of the solution, we will announce the bug bounty as “claimed” and will accept no further entries. If you submit an entry before the announcement, you won’t be eligible to win the Bounty.
  • If we receive and accept a “steps to reproduce” entry, we may at our discretion accept a “pre-made virtual machine” entry, for a reduced bounty of $50.
  • Payment for the Bounty will be made in US Dollars via Paypal, or optionally mailed via US check. The receiver will be responsible for any and all Paypal and currency conversion fees.
  • By making a submission, you agree not to disclose details about the bug / vulnerability to anyone until it has been officially announced as fixed by Furry Network.
  • By default, Furry Network will announce the name of the winner of the Bounty publically. You may request anonymity if you prefer; please make this clear in your initial entry. If you have an icon for yourself you’d like us to use for fun as part of our announcement, let us know.
  • By making a submission, you state that the contents of the Entry are your own work.
  • Furry Network may close the Bug Bounty to entries at any time, for any reason.
  • Furry Network reserves the right to exclude any Entries, or individuals submitting Entries at any time, for any reason.
  • Please don’t put a rootkit, virus or other exploits on the virtual machine, or try any other shenanigans. We’re trusting you, and hope you’ll extend the same courtesy to us.
  • Good Luck and Have Fun!

 

Next Steps

We expect to occasionally run Bug Bounties on Furry Network in the future, both to tackle issues we’re aware of, as well as to keep our users safe, by hunting down vulnerabilities that expose sensitive user information.

This is an experiment for us to see how things go – we’re keeping an open mind, but want to make sure that we are able to handle things proficently before we consider making this a broader or longer-term program. As such, we’re not looking for general security holes just yet – though if you have a tipoff you want to throw our way as responsible disclosure, feel free to send it in to bugbounty@furrynetwork.com .

Thank you everyone!

-Varka and the Furry Network team

 

 

 

Advertisements