Comment by bawolff
3 hours ago
I hope im not coming off dismissive, this really is cool research.
> it's usually the opposite with it being not even accepted by many bug bounty programs.
As someone who has been on the other end of bug bounty's, its because clickjacking reports are a massive spam magnet. 99% of reported are not really vulns (e.g. no xfo header on a static website with no user auth, is not a vuln), and its just not worth sorting through.
> I've been able to make realistic attacks against multiple targets. Many services, such as Google Docs, need to enable cross-origin framing for their functionality.
The google docs thing is really cool. However i think services that need authenticated frames are few and far between. Now that cookies on frames tend to be opt in, i think the number of vulnerable services is going to go way down. Its not going to be 0, but its going to be pretty limited.
I don't think invalid spam reports mean something is overrated. Spam reports are spam reports. That'd be like saying buffer overflows are overrated because there are a bunch of AI-generated invalid spam reports with them.
A valid report needs to demonstrate a realistic attack scenario, and I think that's the approach bug bounties should take.
I think a good example is Google with its stance on open redirects[0]. They won't accept a report just pointing one out, but they will accept one that "can demonstrate that its impact goes beyond phishing".
[0] https://bughunters.google.com/learn/invalid-reports/web-plat...
I agree in the ideal scenario. However i think lots of bug bounties are understaffed and sometimes people make the pragmatic choice.