My Experience with eBay Bug Bounty Program

- 4 mins

In January 2015, I participated in the eBay bug bounty program. At that time, bug bounty programs were not the same as now. The bug bounty programs industry has increased by almost %100 to last year, and every week, a new bug bounty program starts on bug bounty platforms.

I typically report a single issue (the first finding), and based on the bug bounty program communication, I then decide if I would like to test their services further.

After quick searches, I have found a subdomain called ebaycommercenetwork.com. I have then started testing it for common flaws.

I have noticed a Cross ­Site Scripting issue on http://ebaycommercenetwork.com/kb/[Payload]. It only filters the slash character /. The bypass for it was just by Hex encoding it. So ` “/” == %2F`. Using the bypass, I have generated a pop-­up alert to indicate the existence of the XSS issue, as shown in the following screenshot:

You can imagine how much damage can be done with the above issue.

Then, I reported the vulnerability to eBay via their bug bounty program contact. After a few clarifications from me, they acknowledged the existence of the vulnerability and filed a report regarding it. At that moment, I was glad about it and waited for their act to fix the issue.

In February 2015, I contacted them to ask about the date of shipping a fix. Whenever I ask them when the fix will be shipped, they respond with a non­-informative template email.

I had two options: the first option was to wait until the issue was fully fixed, and the second option was to disclose it after 45 days, which is a reasonable duration for companies to patch their application according to the ​US CERT​.

I have chosen the first option for the following reasons. The choice is best for customers to stay secure, as public disclosure might put users at risk by using this issue via malicious users. Also, it will be better for eBay’s reputation. Breaches, valid public vulnerabilities, and complete disclosures might affect the company’s reputation. Furthermore, I wanted to know how seriously they will try to patch the issue, although I fully understand it’s an easy ­to ­patch XSS issue that can be fixed with one line of code.

Each month, I check the issue’s existence without finding any changes by the company. After a couple of months, I contacted them multiple times again to understand the delay in shipping the patch, and they always responded with the same template email.

I didn’t bother testing further for more flaws, as I knew at the moment that it wouldn’t be fixed in a reasonable time­-frame (or perhaps, it won’t be fixed at all).

In December 2014, the issue still exists. Then, I checked it in February 2015. EBay has delivered a completely new web interface, and then I can say that the issue has been fixed.

I contacted them, informing Ebay Security that the issue had been patched and asking for my place on the Ebay researchers acknowledgment page. They have not responded to my email, so I sent another email two weeks later, and nothing has been heard from them.

After checking the researcher’s page, ebay has not included my name in the company’s researchers’ acknowledgment page, although I have waited 13 months to have them patch the issue.

Final Thoughts:

What you have read happens to many researchers. I have chosen the right thing to do with the vulnerability by reporting it immediately to the company. Still, some companies may have an official bug bounty program and don’t follow the proper steps in handling a private disclosure.

If you haven’t done it, you should read ​Bugcrowd’s blog​. It has a lot of educational content for companies and researchers.

If you are planning to start a bug bounty program or already have a running program, it will be better for both the company and the researcher to handle a security issue better and quicker. I might be patient when reporting vulnerabilities to bug bounty programs, but I do not know how others would react in a similar situation.

Despite what happened, Ebay is a well­-reputable company; I am glad to participate in their program. I hope they plan to change their bug bounty program steps in handling a private disclosure for the better.

Update [June 12th, 2015 ]: eBay contacted me after publishing the article, and they acknowledged me by listing my name on the Responsible Disclosure Acknowledgement Page.

Link: http://ebay.com/securitycenter/ResearchersAcknowledgement.html

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora