gerobug: Open Source Self-managed Bug Bounty Platform
Gerobug
Open source private (self-managed) bug bounty platform.
Are you a company, planning to have your own bug bounty program, with a minimum budget? We got you!
We are aware that some organizations have had difficulty establishing their own bug bounty program.
If you know what you’re doing, using a third-party managed platform usually comes with a hefty price tag and increased security concerns.
On the other hand, creating your own independently run platform will take time and effort to build and maintain it.
Why Gerobug?
- Easy: Have your bug bounty program running with just a single line of command
- Secure: Gerobug uses an email parser to receive reports to minimize security risks
- Open Source: It is FREE.
Bug Bounty Flow
By default, the flow of Gerobug’s Bug Bounty Program is as follows:
|
No
|
State
|
Description
|
|---|---|---|
|
1
|
Need to Review
|
The first state when a report is received, company should review this either its invalid or valid
|
|
2
|
In Review
|
If the report is valid, the next state is ‘In Review’ where company can determine how to fix the bug, etc.
|
|
3
|
Fixing
|
In this state, the bug is being fixed
|
|
4
|
Fixing (Retest)
|
After being fixed, a retest should be done to make sure the bug is fully fixed
|
|
5
|
Bounty Calculation
|
After the bug is fixed, company will determine the severity and bounty that Bug Hunter will get
|
|
6
|
Bounty in Process
|
If the Bug Hunter agreed, the bounty will be processed. In this state, some information and NDA may be required
|
|
7
|
Complete
|
After the bounty has been processed, the report is now complete
|
Main Features
-
Homepage
This should be the only page accessible by the public, which contains Rules and Guidelines for your bug bounty program. -
Email Parser
Bug Hunter will submit their findings by email, which Gerobug will parse, filter, and show them on dashboard. -
Auto Reply and Notification
Bug Hunter’s inquiries will be automatically replied and notified if there any updates on their report.
Company will also be notified via Slack if there any new report. -
Report Management
Manage reports easily using a kanban model. -
Report Filtering and Flagging
Reports from Bug Hunter will be filtered and flagged if there are duplicate indication. -
Email Blacklisting
Gerobug can temporarily block and release emails that conducted spam activity -
Auto Generate Certificate
We can generate certificate of appreciations for bug hunters so you don’t have to 😉 -
Hall of Fame / Wall of fame / Leaderboard
Yeah we have it too
TODO
- Feature for Bug Hunter to Check All His/Her Report Status (Overview)
- Improve Notifications and Confirmations (Mailbox Active/Invalid, Email Sent to Bug Hunter, Current Mailbox, etc.)
- Implement Global Dynamic Variables (Email, URL)
- Add Email Template Setting
- Add Support for Other Mailboxes (Outlook, Apple, etc.)
- Add Integrated CVSS/OWASP Risk Calculator
- Add Forced Prompt to Change Default Password and Setup Mailbox
- Add RBAC for Admin Users
- Add More Settings for Admin (Slack Webhooks)
- Add Flow Control (Custom Status, Add / Remove Status)
- Improve Duplicate Detection Algorithm
- Improve Backend Performance and Efficiency
- Improve Logging Module
- Split Homepage and Dashboard Endpoint
- Split Dashboard and Parser (API)
Install & Use
Copyright (C) 2023 @VGR6479, @as3ng, @jessicaggan
