Where can I report SocialEngine Security Vulnerabilities? (hackerone.com)
I have just set up a new website http://www.bbhq.net and even though there is no invite to attack the site, I am getting loads of vulnerability reports in SocialEngine.
I would like to put a copy of my site up on hackerone for it to be hacked, but I need the assistamce of SocialEngine for this exercise as clearly any bugs reported would be in this product and would require fixing.
It costs nothing to do (if you are not offering rewards for bugs), but would be an excellent thing to do to help protect SocialEngine customers and users of their websites.
Please could someone from SocialEngine contact me - mark@blsecurity.com so we can discuss this.
A project like this benefits everyone.
All the bes

    • 2
    Stepan Mazurov We're happy to collect any vulnerabilities you might discover at support@socialengine.com
    • 1
    Mark Litchfield Sorry, I am new to this forum. Okay, I will endeavor to get this set up over the next couple of days.
    • 1
    Mark Litchfield Great. I was hoping for a more involved approach than just a support@ address. Do you not have a Security@ address ? When this "hack challenge" is launched, I think you will be extremely surprised as to the amount of submissions you will receive in a very short period of time.
    Would you be able to email me directly rather than within this forum - mark[at]blsecurity[dot]com
      • 3
      Stepan Mazurov Only send vulnerabilities that are in our code, not the hosting, server, php version. Only send ones that have clear reproductive steps, and finally ones that pose clear danger. Also, it would benefit if you used a reply button, instead of creating a new comment every time.
    • 1
    Mark Litchfield UX bugs is one thing. Security vulnerabilities are an entirely different story. Why would someone release a security vulnerability to an open forum for anyone to read. You are giving anyone the keys to their app / database. Security issues should be reported in private to the relevant developers. Its called Responsible Disclosure !!
    I am extremely surprised by your response; and your are a 3rd party developer. I would have hoped for a better attitude towards security than you have
      • 1
      seTweaks Send the report to SE and they will fix them.
    • 1
    Mark Litchfield I will not release any reports until SE have patched the issues.
      • 1
      seTweaks How can they patch the issues when you're not releasing your "vulnerability report"? patches come after reports. as I assumed this post is just an ad for hackerone with false claims.
    • 1
    Mark Litchfield I can set up my own project on HackerOne for BBHQ and add some members of your staff as program members / managers, then you will be able to see the bug reports real time. I use your product and I will need these issues fixed as will all your customers
      • 1
      seTweaks I'm not from SE. we're one of 3rd party developers. you mentioned you have a "vulnerability report" and I would like to see that. You can also report the bugs here : https://github.com/socialengine/phpv4-issues
    • 1
    Mark Litchfield No this is not an Ad for HackerOne!! SocialEngine is rife with XSS and a number of attacks can be targeted specifically against the Site Administrator. You do not even have to use HackerOne, just set up a site that is open for people to hack. You will be flooded with reports.
    • 1
    seTweaks If this this is not just an ad for hackerone I would like to see the report.