I would like to share a vulnerability report regarding exposed Logstash credentials. I have confirmed that they are valid and can be used to gain access. I reached out to the bug bounty email you provided but have not received any updates yet. Please let me know where I can provide more details if further information is needed.
3 Likes
Heya … IDK if you’re very familiar with the Polkadot ecosystem but everything is quite decentralised. The downside of this is that it can be tricky to find the right person to answer queries, because loads of different people have responsibility for different areas and there is usually no obvious way to find out who.
I’m guessing when you say ‘bug bounty’ You mean this one?
And that the bug you found fits the criteria there and that the address you emailed was security-report@web3.foundation ?
If that’s the case, I would normally expect a reply within a week from them, so I can only guess they figured the bug was out-of-scope?
If you can confirm that it was that bounty and it was in scope, there are people in this forum from web3 foundation, who will be able to nudge the right people to reply.
When I read that page, though, it suggests to me that bugs affecting a website or domain would not be in scope. If that is the case, and no existing bounty exists for it, we can still do a referendum to give you a bounty but we would have to find the right people to assess your report.
Without compromising security, can you let us know if it it within the bounty I mentioned above? Or is it something affecting a website or domain and, if so, is it on a domain for polkadot or substrate, or for a parachain, or for something else?
This will probably be a longer process than you anticipated so apologies for that! 
1 Like
I’ve got what i looking for .
Thanks,
1 Like