Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)

159 points botanica_labs | 2 comments | 22 Oct 25 14:22 UTC | HN request time: 0.447s | source

Show context

mmsc ◴[22 Oct 25 14:53 UTC] No.45670037[source]▶

>after having received a lukewarm and laconic response from the HackerOne triage team.

A slight digression but lol, this is my experience with all of the bug bounty platforms. Reporting issues which are actually complicated or require an in depth understanding of technology are brickwalled, because reports of difficult problems are written for .. people who understand difficult problems and difficult technology. The runarounds are not worth the time for people who try to solve difficult problems because they have better things to do.

At least cloudflare has a competent security team that can step in and say "yeah, we can look into this because we actually understand our whole technology". It's sad that to get through to a human on these platforms you have to effectively write two reports: one for the triagers who don't understand the technology at all, and one for the competent people who actually know what they're doing.

replies(5): >>45670153 #>>45670225 #>>45670462 #>>45672569 #>>45672910 #

tptacek ◴[22 Oct 25 15:03 UTC] No.45670225[source]▶

>>45670037 #

The backstory here, of course, is that the overwhelming majority of reports on any HackerOne program are garbage, and that garbage definitely includes 1990s sci.crypt style amateur cryptanalyses.

replies(1): >>45670315 #

CaptainOfCoit ◴[22 Oct 25 15:08 UTC] No.45670315[source]▶

>>45670225 #

> 1990s sci.crypt style amateur cryptanalyses

Just for fun, do you happen to have any links to public reports like that? Seems entertaining if nothing else.

replies(1): >>45670567 #

CiPHPerCoder ◴[22 Oct 25 15:24 UTC] No.45670567[source]▶

>>45670315 #

Most people don't make their spam public, but I did when I ran this bounty program:

https://hackerone.com/paragonie/hacktivity?type=team

The policy was immediate full disclosure, until people decided to flood us with racist memes. Those didn't get published.

Some notable stinkers:

https://hackerone.com/reports/149369

https://hackerone.com/reports/244836

https://hackerone.com/reports/115271

https://hackerone.com/reports/180074

replies(3): >>45670631 #>>45671298 #>>45674091 #

lvncelot ◴[22 Oct 25 16:09 UTC] No.45671298[source]▶

>>45670567 #

That last one has to be a troll, holy shit.

replies(1): >>45671629 #

1. CaptainOfCoit ◴[22 Oct 25 16:31 UTC] No.45671629[source]▶

>>45671298 #

From another bogus report from the same actor: https://hackerone.com/reports/180393

> Please read it and let me know and I'm very sorry for the last report :) also please don't close it as N/A and please don't publish it without my confirm to do not harm my Reputation on hacker on community

I was 90% sure it was a troll too, but based on this second report I'm not so sure anymore.

replies(1): >>45673946 #

2. nightpool ◴[22 Oct 25 19:25 UTC] No.45673946[source]▶

>>45671629 (TP) #

I like the bit where he tried to get paid by Hackerone for the bug you reported:

     i think there a bug here on your last comment. can i report it to hackerone ? they will reward me ?

↑