public-bugbounty-programs icon indicating copy to clipboard operation
public-bugbounty-programs copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Porting disclose.io programs list to chaos

Open ehsandeep opened this issue 5 years ago • 7 comments

URL:- https://raw.githubusercontent.com/disclose/diodb/master/program-list.json

ehsandeep avatar Jun 12 '20 08:06 ehsandeep

Is this still open or already implemented?

rishabhmishra25 avatar Sep 05 '20 11:09 rishabhmishra25

@rishabhmishra25, As the above list missing domain details, this can not be automated, so it will take some time to do it manually.

ehsandeep avatar Sep 06 '20 08:09 ehsandeep

We can have a script that pulls the domains and emails and at least separate them to ease the work. @bauthard! If you can update me on the progress of how much of it has been done, I can try to write a script over the weekend maybe for the same.

rishabhmishra25 avatar Sep 09 '20 06:09 rishabhmishra25

Hi @rishabhmishra25,

Thank you, we are not actively working on this list, but the fact public programs are common so, so we can say, a good number of programs are already included in chaos list, but so many left to add, but that's not the point of worry as we have a script which dedup the chaos-bugbounty-list.json list based on name field.

The only information we need here is the domain name of the given bug bounty program, if you can automate that, we can import all, dedup them and merge them in final list.

ehsandeep avatar Sep 09 '20 06:09 ehsandeep

From the above list, here is a one-liner to fetch the required info, and domains is something we need to add on top of this.

curl -s https://raw.githubusercontent.com/disclose/diodb/master/program-list.json | jq 'map({program_name, policy_url,bug_bounty})'

ehsandeep avatar Sep 09 '20 07:09 ehsandeep

@bauthard I'll try extracting domains via WebScrapping via each domain over the weekend for sure!

rishabhmishra25 avatar Sep 09 '20 18:09 rishabhmishra25

Hey! I'm looking at this issue and would like to contribute! Wanted to reiterate my understanding, as I'm new to this :)

  1. Looks like the goal is to add programs from the URL to the public-bugbounty-programs chaos-bugbounty-list.json
  • The first entry in the programs-list links to a 404 for the policy_url and contact_url, so skip ones that do not have a current policy_url. Is there other criteria to skip programs? Looks like it is okay if there is no bounty or swag associated with the program.
  1. Domains associated with these added programs need to be found and added to the public-bugbountry-programs json
  • Does this include subdomains? If so, is using PD's subfinder the best way to do this?
  • Is this information to be found within the program policy?
  • Is there a recommended tool or method for finding domains? Is Who.is a reliable tool for this?

Are there additional details that I've overlooked, or has someone else started on this? Thanks!

hhthacker avatar Aug 10 '23 11:08 hhthacker