Announcements

New bh tool has been released

The new tool officially supported has been released to talk to the BountyHub API.

The tool is open-sourced, and the code is available here.

It comes with installation instructions, and the future releases will be released under 0.x.x version. This will be true until the platform has the stable API (i.e. the platform is out of beta).

All examples in the docs are updated to use this tool. Looking forward to your feedback!

New workflow syntax has been released

The original workflow syntax was not powerful enough especially if you want to diff the previous invocations of the scan. You would have to workaround the issue, and the workaround was not pretty.

The new syntax is related to expressions:

  • The workflow on.expr now accepts the CEL based syntax.
  • The scans.[ID].steps[].if is also moved to accept CEL expressions.
  • Template is much powerful now, where the template is also a CEL expression that evaluates to string.

Most importantly, the expression engine now accepts the context, which is passed by the server. This requires a new version of the runner. Since the change is the breaking one, the new runner is also released under the 0.1.0 tag.

Since the service was not yet officially announced, the change was overwritten to avoid having newcomers running the old, outdated version.

The most important thing is that syntax right now is much more stable and much more powerful. This change will allow further extensions on the workflow, such as continuing the run even if some steps are failing.

Along with the runner, new bh tool is about to be released. Currently, it only allows downloading the results, which is enough for the runner to do its job. I'm not yet sure how to best distribute it, and your feedback will be very valuable.

One of the reasons this service is not yet announced to the broad audience is, so we can figure out the pain points with the smaller audience, and based on your feedback, we can build stuff that is more stable.

I would encourage joining the weekly call. This is the best way to get to know each other and to communicate face-to-face the issues you are having.

Lastly, please keep an eye on announcements. The new tool will be released soon and unfortunately, until then, you won't be able to create dependencies between scans. But I can promise that you won't wait long! With the new tool, the runner documentation will also be improved, and more examples will be added to make it easier to maintain your runner installation.

Thank you for using this platform!

Callback servers and payloads

New features are added to help find blind vulnerabilities. You can now register the server and listen to interactions to catch blind vulnerabilities. Server is listening on HTTP and HTTPS ports and is basically always live! Read more about this feature here.

Also, payloads are added to have a single place where you store payloads. Variables are also added, so you can replace and copy them quickly. Read more about payloads here.

Check it out! And please, do not hesitate to provide feedback ๐Ÿ˜Š!

BountyHub is in Alpha

BountyHub is now in alpha version. There are a lot of missing pieces and likely bugs, but hopefully, you will stick with it, and it is going to be awesome! For any feature requests, please submit a support ticket or e-mail me at nikola.jokic@bountyhub.org.

There is also a weekly call. Feel free to join!

Edit this page on GitHub
Table of Contents