feat: Introducing Bounty Hub, a central hub to import and manage your hackerone programs to reNgine

[null-ref-0000]

#1408

[github-actions]

Woohoo @null-ref-0000! 🎉 You've just dropped some hot new code! 🔥

Hang tight while we review this! You rock! 🤘

[yogeshojha]

@null-ref-0000 Excellent PR. I reviewed your PR and we need to make some changes. You do not have to worry as I will be making the required changes here is what I will do.

1. The endpoints are authenticated endpoints, likely we need api keys from hackerone. Though we have a hackerone key input in report section but that is for different purpose for reporting, so we will have to take this api input to API Vault section. This includes for both btw, we will have one input for hackerone API key which will be utilized by both reporting and syncing the bookmarked organizations.

2. I will also add Sync option under Quick Add option for us to be able to manually sync the targets

3. Since we will be utilizing the hackerone api already, it is a better idea for user to be able to import targets not only from bookmarked ones but we should let them search the target and import.
   For example while adding the target we can have a search box that will search and import targets, we should let user's which targets to import.

4. We will take the logic out of celery as it will be an overkill for this feature, I will put it inside api/views

I will take care of this changes today.

Rest, I must say an excellent feature and amazing PR! Loved it.

if you can help me with bugcrowd as well, let me know I havent used bugcrowd yet, or maybe even other bug bounty platforms like intigriti, see if we can use them somehow with this feature.

[yogeshojha]

nooo ;p

[null-ref-0000]

my bad, forgot to revert this back after troubleshooting.

[yogeshojha]

Unnecessary changes have been now removed, we can consider this as an excellent base to start with.

[null-ref-0000]

I'll start working on similar features for bugcrowd and intigriti. Will submit individual feature requests and PRs.

"We will take the logic out of celery as it will be an overkill for this feature, I will put it inside api/views"

If we expand this won't it be useful for this to run as background job ? When building it, I had it in the api/views but thought maybe was better as background job as we reaching out to external APIs. The H1 APIs are fast, but as this feature expands the time to synchronize could grow and thus user waiting on the UI might be a bad experience ?

"Since we will be utilizing the hackerone api already, it is a better idea for user to be able to import targets not only from bookmarked ones but we should let them search the target and import.
For example while adding the target we can have a search box that will search and import targets, we should let user's which targets to import."

Yeah great idea. But instead of targets, perhaps we perform this search at the program\organization level ? Searching all the scopes in H1 and in the the future other programs might be difficult depending on the API interface of the bug bounty programs.

[yogeshojha]

@null-ref-0000 Look how excellent this PR has turned out! ;p

[null-ref-0000]

Wow, looks amazing!

[yogeshojha]

Hey @null-ref-0000 this turned out to be more complex than I thought;p

Check this out. If you have time, please test this out and let me know. But I want to let you know that this is a game-changing feature. Kudos to the submission!!!

Screencast.from.2024-09-04.21-10-41.mp4

This is automation to the next level ;p

[yogeshojha]

@null-ref-0000 this is now ready and turned out really excellent.

If you can test it out and let me know otherwise check these videos out, what do you think?

For Importing Programs

Screencast.from.2024-09-05.07-18-28.mp4

For syncing Bookmarked Programs

Screencast.from.2024-09-05.07-20-29.mp4

If everything is good, I will go ahead and merge, in next release I will target for intigriti, checked out their API looks good!

[github-actions]

Holy smokes! 🤯 You've just made reNgine even more awesome!

Your code is now part of the reNgine hall of fame. 🏆

Keep the cool ideas coming - maybe next time you'll break the internet! 💻💥

Virtual high fives all around! 🙌

[yogeshojha]

@null-ref-0000 I have merged this in the release/2.2.0 branch

If you wish to test please test it out on release/2.2.0 and let me know.

Once again, thank you for this awesome feature request as well as initiating this PR! A huge thanks 🚀

[null-ref-0000]

@yogeshojha I've started testing, here's my observations:

• sync process is adding out of scope assets from H1.
• its not adding wildcard assets.
• I also noticed we don't set a description on the organizations, should we indicate something like synced from h1 bookmarks or imported from h1 ?
• sync process is not removing unbookmarked programs

I'll continue to test, and follow up with any additional observations.

Btw on a future note bugcrowd doesn't have an API for security researchers. Intigriti does so we should be able to add a similar feature for that bug bounty program.

[yogeshojha]

@null-ref-0000 that's an interesting observation, do you know what keys are set for out of scope? Also for description yes I will add that.

Overall ui and performance what do you think of it?

[yogeshojha]

@null-ref-0000 Yes Intrigiti is super simple to implement as well, I checked it out yesterday. I will target for 2.3 next month for intigriti.

[null-ref-0000]

Over all UI performance is excellent, the touches you have added for notifications make for a good user experience.

"eligible_for_submission": false is the key for out of scope assets.

This key is return from the https://api.hackerone.com/v1/hackers/programs/{PROGRAM} API under "relationships": { "structured_scopes": { "data": [

[null-ref-0000]

If you looking for a program of the wild card issue, Sephora is a good public program. In this case it has one wildcard, and it doesn't even import because of the issue. In my orginal code I stripped out https://*. or *. from the wild card assets. I think its important that we support this asset type.

[null-ref-0000]

For the out of scope issue, REI is a good program that highlights that issue. As they have 18 out of scope assets.

[yogeshojha]

@null-ref-0000 I have fixed them up, however

1. sync process is not removing unbookmarked programs: this one will require a lot of work, plus we also need to provide user if they want to remove the program that are unbookmarked, so lets target this for another release, I have noted this already, will be creating feature request

2. its not adding wildcard assets: now its supported, however . we cant identify main domain, so it doesn't import, otherwise I checked for domains like *.hello.com its importing successfully

3. I also noticed we don't set a description on the organizations, should we indicate something like synced from h1 bookmarks or imported from h1 ?: this has been added

4. For out of scope domains, this has been fixed as well

If you want to test out, fetch the latest 2.2.0 branch there all these changes have been merged.

[yogeshojha]

@null-ref-0000 hey man what's your twitter id? since I will be posting this release update on twitter, I would like to give you a shoutout!

[null-ref-0000]

on twitter @null_ref_0000

…

On Mon, Sep 9, 2024, 06:35 Yogesh Ojha ***@***.***> wrote: @null-ref-0000 <https://github.com/null-ref-0000> hey man what's your twitter id? since I will be posting this release update on twitter, I would like to give you a shoutout! — Reply to this email directly, view it on GitHub <#1410 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDE5EPCXRYN3AASTCN7SKLZVWBWVAVCNFSM6AAAAABNODN7SGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZXHA3TANBXGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[yogeshojha]

Hey @null-ref-0000 am I missing something?