New action workflow to detect duplicate domains in PR.

Expected flow -

if jq -r .programs[].domains[] chaos-bugbounty-list.json | wc is not equals to jq -r .programs[].domains[] chaos-bugbounty-list.json | sort -u | wc, workflows should fail.

The idea is to compile a list of publicly available bbp/vdp programs in a structured manner that can be consumed by a program to index subdomains of given domain and publish it at https://chaos.projectdiscovery.io

Format

{
   "name":"HackerOne",
   "url":"https://hackerone.com/security",
   "bounty": true,
   "swag": true,
   "domains":[
      "hackerone.com",
      "hackerone.net",
      "hacker101.com",
      "hackerone-ext-content.com"
   ]
}

Reference

https://github.com/arkadiyt/bounty-targets-data
https://github.com/disclose/diodb/blob/master/program-list.json
https://firebounty.com

Because it's not a bug bounty program

I made a pull request for adding the wind stream program in public-bugbounty-programs, and my PR got merged. But in https://chaos.projectdiscovery.io/#/ the Subdomains for winddtream shows 0.

chaos -d getwindstream.com -count

Example input:-

{
   "name":"HackerOne",
   "url":"https://hackerone.com/security",
   "bounty":true,
   "swag":true,
   "domains":[
      "hackerone.com",
      "hackerone.net",
      "hacker101.com",
      "hackerone-ext-content.com"
   ],
   "network":[
      "66.232.20.0/23",
      "206.166.248.0/23",
      "66.232.20.1"
   ]
}

It is getting more common for programs to have an *.sub.example.com scope. Would these be valuable/relevant to add to this list if they don't have a *.example.com scope, too?

Also, many programs will list a wildcard subdomain scope (*.example.com) but then list specific subdomains as out of scope. Is there a way to define these? They can change often so it may be best to leave it as is, and for researchers to verify the current program scope before testing (which hopefully they already do).

Hi,

I opened a PR as you can see from here: #450 and it is merged. Although I saw the program on the site for the first few days, I couldn't see it afterwards. Is there a bug here?

Also, this problem is occurred more than one program as I can see. I search for "Agicap", "Sendcloud" etc. and can't see any result on https://chaos.projectdiscovery.io/

To avoid adding or keeping programs of which the program policy is not accessible publicly or changes with time, we can add automation preferably using httpx to match for 200 status code for the followings -

• Check for newly program URLs added in each Pull request.
• Check for all program URLs in bbp list with scheduled GH workflow run.

Test should be failed for URLs with non 200 status code.

Anything else

#462

From #703, would be good to have a defined JSON schema and then use something like https://github.com/marketplace/actions/validate-json to validate that schema on all PRs

The sorting itself should be case insensitive and as easy as:

fetch('https://cdn.jsdelivr.net/gh/projectdiscovery/public-bugbounty-programs@master/chaos-bugbounty-list.json')
.then(response => response.json())
.then(data => {
    data.programs.sort(function(a,b) { return a.name.toLowerCase() > b.name.toLowerCase() })
    return data
})
.then(data => console.log(JSON.stringify(data)))

Current workflow: https://github.com/projectdiscovery/public-bugbounty-programs/blob/master/.github/workflows/json-sorting.yml

New action workflow to detect invalid domain input in PR

As per allowed json spec:

{
   "name":"HackerOne",
   "url":"https://hackerone.com/security",
   "bounty": true,
   "swag": true,
   "domains":[
      "hackerone.com",
      "hackerone.net",
      "hacker101.com",
      "hackerone-ext-content.com"
   ]
}

domains fields should only contain root domain names, not subdomain, URLs, wildcard or anything except root domain name.

Workflows should detect and fail upon invalid domain input under domains block for incoming PRs

Hi,

A lot of program has out of scope subdomain. Testing on these subdomains are prohibited.

As you can see below, these programs on Chaos have millions of enumerated subdomain where 99% are out of scope :

Like we have in nuclei-templates for YAML.

Hi,

Some companies or organization have their own TLD where every domain are in scope. These are called Brand TLDs.

Example:

• DoD: *.mil
• Apple: *.apple

You can find all brand TLDs here : https://brandtld.news/tld/

• This should be altered to domains

from https://github.com/projectdiscovery/public-bugbounty-programs/blob/main/pkg/dns/dns.go#L27-L36

func ValidateFQDN(value string) bool {
	// check if domain can can be parsed
	tld, err := publicsuffix.EffectiveTLDPlusOne(value)
	if err != nil {
		return false
	}

	// check if top level domain is equal to original and it's a valid domain name
	return tld == value && govalidator.IsDNSName(tld)
}

flagging ngrok.io as invalid domain - https://github.com/projectdiscovery/public-bugbounty-programs/actions/runs/5364609119/jobs/9732904993

Hi Team

Can we have a feature tab like swag

Just like we have rewards , no rewards

URL:- https://raw.githubusercontent.com/disclose/diodb/master/program-list.json

First one at

Second one at

{ "name": "sidefx", "url": "https://hackerone.com/sidefx", "bounty": true, "domains": [ "sidefx.com" ] }

Source:- https://github.com/arkadiyt/bounty-targets-data/blob/master/data/wildcards.txt

This is a good source, but need to find a way to differentiate the program name, so it can be added in the expected format.

Description

usually eTLD's don't resolve to ip . since its general use case is to act like TLD however lot of orgs host services on eTLD.
Example below are eTLD and some of them have resolve which some not

echo -e "ngrok.io\nco.uk\nai" | dnsx -resp

      _             __  __
   __| | _ __   ___ \ \/ /
  / _' || '_ \ / __| \  / 
 | (_| || | | |\__ \ /  \ 
  \__,_||_| |_||___//_/\_\

		projectdiscovery.io

[INF] Current dnsx version 1.1.4 (latest)
ngrok.io [34.210.2.84] 
ai [209.59.119.34] 

ValidateFQDN function used for validation of root domains does not consider this use case which classifies ngrok.io and ai as invalid domains here but some of them are valid (ex: http://ai 😆 )

Proposed Changes

• for proper validation check if given domain is eTLD if so try to resolve it using retryabledns if resolved then it is considered as valid domain if not then it is suffix(i.e not valid for this repo)

*.mil add these to chaos dod subs hackerone

Hi, what does one need to do to get intigriti.com results in chaos?