gerosecurity / gerobug Goto Github PK

The First Open Source Bug Bounty Platform

Home Page: https://gerobug.gerosecurity.com

License: GNU Affero General Public License v3.0

Dockerfile 0.10% Python 23.49% Shell 3.48% CSS 19.61% JavaScript 16.80% HTML 36.52%

bug-bounty bug-bounty-platform bugbounty cybersecurity infosec bounty-hunting bugbounty-platform bugbounty-tool vdp vulnerability-disclosure

gerobug's Introduction

Gerobug: The First Open Source Bug Bounty Platform.

Gerobug

The first open source self-managed bug bounty platform.

Are you a company, planning to have your own bug bounty program, with minimum budget?

WE GOT YOU!

We are aware that some organizations have had difficulty establishing their own bug bounty program.
Using a third-party managed platform usually comes with a hefty price tag and security risks. (If you know, you know...)
In the other hand, creating your own self-managed platform will take time and effort to build and maintain it.

Why Gerobug?

EASY : Have your bug bounty program running with just single line of command
SECURE : Gerobug uses email parser and network segregation to minimize security risks.
OPEN SOURCE : It is FREE.

(Minimum) Recommended Specification

Ubuntu 24.04
vCPU 2 Core
RAM 2 GB
HDD 16 GB

Requirements

Gmail or Outlook Email with App password implemented
VPN Server (Recommended for Production Server)
Domain for HTTPS (Recommended for Production Server)
Port 80, 443, 6320
Python 3.x
Docker
Docker Compose v2

(You don't need to install anything manually, we'll do it for you!)

Deployment and Usage

To deploy gerobug:

Clone this repository

git clone https://github.com/gerobug/gerobug
cd gerobug

Run the Setup Script:

./gerobug.sh

Follow the setup instructions (Read the documentation for details)
By default, Gerobug Dashboard will listen at port 6320

Access the login page at http://[Domain/IP]:6320/login

Credential
Username : geromin
Password : Randomly generated at gerobug/gerobug_dashboard/secrets/gerobug_secret.env

You can read the detailed documentation here

Main Features

Network Segregation
All services are running on seperate containers. Public users should only able to access the static page (Rules and guidelines).
Easy and Quick Installation
Use our run script to install Gerobug, its quick and easy!
HTTPS Implementation
Automated HTTPS configuration using NGINX and Let's Encrypt.
Homepage
This should be the only page accessible by public, which contains Rules and Guidelines for your bug bounty program.
Email Parser
Bug Hunter will submit their findings by email, which Gerobug will parse, filter, and show them on dashboard.
Auto Reply and Notification for Bug Hunters
Bug Hunter's inquiries will be automatically replied and notified if there any updates on their report.
Notification Channel
Company will also be notified via Slack/Telegram if there any new report.
User Management
Gerobug has a role-based user management.
Report Management
Manage reports easily using a kanban model dashboard.
Report Filtering and Flagging
Reports from Bug Hunter will be filtered and flagged if there are duplicate indication.
CVSS / OWASP Risk Calculator
Gerobug has an integrated CVSS / OWASP Risk Calculator to support the bug review process.
Email Blacklisting
Gerobug can temporarily block and release emails that conducted spam activity.
Auto Generate Certificate
We can generate certificate of appreciations for bug hunters so you don't have to ;)
Personalization
You can customize Gerobug to fit your brand colors
Logging and Log Rotation
Gerobug have internal audit log with log rotation enabled
Hall of Fame / Wall of fame / Leaderboard
Yeah we have it too

Authors

Feedback

If you have any feedback, please reach out to us at [email protected]

gerobug's People

Contributors

Stargazers

Watchers

Forkers

excloudx6 haumanto brandonsturgeon truebad0ur death-at-dawn mirfani340 devonsantana reconbug munkhbadral1 delbertgiovanni

gerobug's Issues

Nginx ports still exposed regardless of settings provided to ./run.sh

Here is my setup:

 ______     ______     ______     ______     ______     __  __     ______
/\  ___\   /\  ___\   /\  == \   /\  __ \   /\  == \   /\ \/\ \   /\  ___\
\ \ \__ \  \ \  __\   \ \  __<   \ \ \/\ \  \ \  __<   \ \ \_\ \  \ \ \__ \
 \ \_____\  \ \_____\  \ \_\ \_\  \ \_____\  \ \_____\  \ \_____\  \ \_____\
  \/_____/   \/_____/   \/_/ /_/   \/_____/   \/_____/   \/_____/   \/_____/


================================================================================
Gerobug v2.3 (PRODUCTION READY)
================================================================================

================================================================================
---------------------------------
Welcome to the Gerobug Installer!
---------------------------------
My name is Gero and I will assist you through the installation :)
I need to ask you a few questions before starting the setup.

Server Public IP : <snip>
Is it correct?
   1) YES
   2) NO
Your choice [1-2]: 1

Server Internal IP : <snip>
Is it correct?
   1) YES
   2) NO
Your choice [1-2]: 2
Enter Internal / Secondary IP (example: 127.0.0.1): 127.0.0.1

Do you have a domain that you want to use?
example: demo.gerobug.com
   1) YES (I will help to implement HTTPS using lets encrypt for you)
   2) NO  (Gerobug will use HTTP instead of HTTPS) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 2
Gerobug will not implement HTTPS [NOT RECOMMENDED FOR PRODUCTION]
A domain is required to setup HTTPS

Run this script again later when you have a domain to setup HTTPS
or you can change the nginx config manually

Do you have a VPN Server on the network?
   1) YES (Gerobug Dashboard will only accept connection from internal IP)
   2) NO  (Gerobug Dashboard will be accessible from public) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 1

Gerobug Dashboard will only accept connection from INTERNAL IP
So a VPN Server will be required
If you face any trouble, read the documentation :)

Okay, that was all I needed. We are ready to setup Gerobug server now.
Press any key to continue...
================================================================================

So I set my internal IP, chose HTTP only, and set it to only accept connections from the local IP.

And then after it's running, docker compose ps shows:

gerobug-nginx-1       gerobug-nginx       "/docker-entrypoint.sh nginx -g 'daemon off;'"
nginx       11 seconds ago   Up 10 seconds
0.0.0.0:80->80/tcp, :::80->80/tcp,
0.0.0.0:443->443/tcp, :::443->443/tcp,
0.0.0.0:6320->6320/tcp, :::6320->6320/tcp

So ports 80, 443, and 6320 are all exposed publicly on the machine. Even if there are safeguards in place in the nginx config, the ports are still exposed.

This is because in the docker-compose.yml file, the ports are set like so:

  nginx:
    build: ./nginx
    ports:
      - "80:80"
      - "443:443"
      - "6320:6320"

In the absence of a binding address, compose defaults to 0.0.0.0.

Suggestions

1. I suggest that during the `./run.sh` process, it saves the given settings to a `.env` file (which compose reads by default), something like this:

BIND_ADDRESS=<public or local ip, as chosen during the setup>
HTTP_PORT=<the port chosen during setup>
HTTPS_PORT=<the port chosen during setup>
DASHBOARD_PORT<the port chosen during setup>

And then the compose file changed to something like this:

  nginx:
    build: ./nginx
    ports:
      - "${BIND_ADDRESS}:${BIND_PORT}:80"
      - "${BIND_ADDRESS}:${BIND_PORT}:443"
      - "${BIND_ADDRESS}:${DASHBOARD_PORT}:6320"

You'll notice I also separated the ports out to be configurable as well. I think this is an important option. For example, on the server I wish to run gerobug on, I already have 80 and 443 bound, so I have to edit the compose file manually to make it work.

2. Only bind the HTTPS port if HTTPS is selected

I'm actually not sure how to do this, but it would be a nice way to keep the ports clean and reduce confusion for developers.

I would make a PR, but I think this requires some decisions that I wouldn't want to impose on you guys :)

no Pattern to separate Bug bounty reports and regular emails

On read_mail() there is no pattern to separate between bug report or just regular emails.

The could be an issue, that every email will be stored as new bug report on the platform.

Looking forward if you guys can resolve this issue

Logs full

Hi,

The log keeps being full...

Is it normal?

SSL not auto renewing?

The SSL isn't auto renewing?