Automating triage work around HackerOne

[lirantal]

Pitch: triaging reports is somewhat cumbersome and involves manual processes in terms of form setup, gathering information, and finally building the vulnerability JSON file to PR on the repo.

I would like to tackle the above through [bot] automation around the HackerOne platform:

• Once a report has been submitted for a module, a bot can lookup the stats for the module, author information, etc. and post it back to the HackerOne report discussion.
• When maintainers are not reachable, the bot can automatically open a generic security issue invite on the related module's repo. It may also actually e-mail the maintainers or provide the e-mail template to use for that.
• Upon report closing the bot can open a PR to the repo with the JSON file contents, or post that to the HackerOne discussion so it can be PRed manually.
• The bot can be triggered with a webhook to tweet/share publicly disclosed vulnerabilities for reach and awareness in the community.

Would be happy to get some feedback on that.

Reed, could you help us understand what can we do with regards to API connectivity / webhooks on HackerOne?

[drifkin]

Great idea! The first one especially. The second one makes me a little nervous in that it will be public and automatically posted? (Or maybe I'm misunderstanding).

[ChALkeR]

I don't like the second one — it shouldn't be done automatically without human confirming that explicitly.

1. There might be critical-level issues in popular modules when you absolutely don't want to give hits to attackers.
2. Also just opening such issues for even non-critical issues in popular modules will make their users confused and panicing.
3. Also there could be timing (or other) information from other channels that would give the attacker hints of what type of the issue that is.

Might be fine for insignificant modules, though.

[ChALkeR]

Also, the whole «let's give an internet-facing bot access to all the security issues» thing is rather worrisome.
I would prefer to see that as a set of tools that could be invoked manually on someones machine to simplify work.

[lirantal]

I share the same concern about such integration since it will be yet another attack surface but let's try to focus on what we want to achieve and we can easily start with just tooling.

• The first item is more of a nice to have and eases the submitter, not the triaging process, which is currently our scalability problem.
• The second item isn't about being automatic in terms of threshold but rather it can be invoked and then will automatically open an issue or send an e-mail to the maintainer, where the latter mitigates all 3 points raised @ChALkeR.

A chatbot you can invoke from the actual discussion chat would be nice but then we'd have to authorize only the security wg members to use it, etc.

[reedloden]

@lirantal

Reed, could you help us understand what can we do with regards to API connectivity / webhooks on HackerOne?

https://api.hackerone.com/docs/v1 has all the API specifics. However, as discussed on Slack, you can use the (undocumented) JSON endpoints for things that aren't provided by the API. If there are specific things not provided by the API, just let me know, and I'll make sure they are filed for future implementation.

We don't currently support any form of webhook (outside of our JIRA integration) at this time.

[lirantal]

Ok thanks!

[sam-github]

Is this worth keeping open? @lirantal are you still working on this, or did #234 complete it?

[lirantal]

I think we're at a good point right now and don't need further bots automation, let's close.