←back to thread

XBOW, an autonomous penetration tester, has reached the top spot on HackerOne

(xbow.com)
283 points summarity | 2 comments | 24 Jun 25 15:53 UTC | HN request time: 0.421s | source
Show context
mkagenius ◴[24 Jun 25 18:19 UTC] No.44369114[source]
> XBOW submitted nearly 1,060 vulnerabilities.

Yikes, explains why my manually submitted single vulnerability is taking weeks to triage.

replies(2): >>44369323 #>>44374572 #
tptacek ◴[24 Jun 25 18:37 UTC] No.44369323[source]
The XBOW people are not randos.
replies(1): >>44369375 #
lcnPylGDnU4H9OF ◴[24 Jun 25 18:40 UTC] No.44369375[source]
That's not their point, I think. They're just saying that those nearly 1060 vulnerabilities are being processed so theirs is being ignored (hence "triage").
replies(1): >>44369411 #
tptacek ◴[24 Jun 25 18:43 UTC] No.44369411[source]
If that's all they're saying then there isn't much to do with the sentiment; if you're legit-finding #1061 after legit-findings #1-#1060, that's just life in the NFL. I took instead the meaning that the findings ahead of them were less than legit.
replies(3): >>44369640 #>>44369966 #>>44370374 #
croes ◴[24 Jun 25 18:58 UTC] No.44369640[source]
Whether it is legit-finding is precisely what needs to be checked, but you’re at spot 1061.

>130 resolved

>303 were classified as Triaged

>33 reports marked as new

>125 remain pending

>208 were marked as duplicates

>209 as informative

>36 not applicable

20% bind a lot of resources if you have a high input on submissions and the numbers will rise

replies(1): >>44369723 #
tptacek ◴[24 Jun 25 19:03 UTC] No.44369723[source]
I think some context I probably don't share with the rest of this thread is that the average quality of a Hacker One submission is incredibly low. Like however bad you think the median bounty submission is, it's worse; think "people threatening to take you to court for not paying them for their report that they can 'XSS' you with the Chrome developer console".
replies(3): >>44370182 #>>44370892 #>>44371926 #
1. aspenmayer ◴[24 Jun 25 22:54 UTC] No.44371926[source]
I can’t speak to the average quality of submissions, as I’ve only made one to HackerOne myself iirc. I don’t even consider myself good at coding or aware of how to file a bug report or bounty submission. I reported that on iOS Coinbase app, that if you were on a VPN, the Coinbase app PIN simply didn’t exist anymore, and did not appear in the settings as enabled either. I included a full video of this occurring and it seemed reproducible. The Coinbase person said that this was not an issue because you would already need access to the physical device and know the iOS passcode; relevant to this is that at the time (2021) and maybe now, the Coinbase iOS app didn’t hook the iOS passcode for access control, like Signal or other apps do, but instead has its own app passcode. The fact that this was circumventable by adding and connecting to any VPN on the same iOS device seemed like a bug in the implementation, even if it is the code working as written. The issue was closed and I lost 5 HackerRank I think the points are called. It felt very hostile to my efforts that I lost points, since I don’t think that was justified. Perhaps that is just how the platform works for denied bug reports on HackerOne, but I have no way of knowing that, as the Coinbase report is the only time I used the platform.
replies(1): >>44374080 #
2. mkagenius ◴[25 Jun 25 06:08 UTC] No.44374080[source]
They have a concept of "rando" as you can see above. They don't usually say that out aloud.

Basically if you are new, the reviewer thinks "oh, a rando" and in his mind he has already downgraded the severity a bit.

It's unfortunately a kind of cartel at this point. Not full fledged and out but a low key cartel. They have a circle of friends whose csrf would also get better valuation. It's a sorry state.