I am a security researcher referenced in the winning web-hacking technique on that list ("Dependency Confusion" by Alex Birsan [1]) and was ranked 7th in Portswigger's 2019 issue [2,3]. My motto has always been "Learn to make it; then break it." In other words, I invest a lot of time familiarising myself with technologies and specifications before examining how their implementation might lead to security flaws. This process usually requires reading a lot of technical documentation and source code, and becoming acquainted with how organisations implement said technologies.
Once I feel comfortable with my understanding of the subject material, I start to think about how certain aspects of the technology could lead to security flaws or interesting areas of research. At times this may require out-of-the-box thinking or can even be the result of pure luck.
The "bug bounty" aspect of this all tends to come into play once I want to find case studies for my research.
I am the author of an Internet Draft (security.txt) that is going through a similar process to Mark Nottingham's RFC above, so I might be able to help.
The Internet Draft (ID) was presented at the DISPATCH meeting session at IETF 103 which includes some discussion at the end of the presentation: https://youtu.be/OAKv4Sc0jhM?t=1183. The "Informational" vs "Standards" track topic is actually brought up briefly here: https://youtu.be/OAKv4Sc0jhM?t=1660.
This is what the "safe harbor" that the author was referring to is supposed to cover.
> Tesla considers that a pre-approved, good-faith security researcher who complies with this policy to access a computer on a research-registered vehicle has not accessed a computer without authorization or exceeded authorized access under the Computer Fraud and Abuse Act ("CFAA"). [1]
This is a wonderful thing to see and I hope that more vendors will follow suit. Amit Elazari [1] has been doing some amazing work in this field advocating for legal safe harbours for security researchers. She posts regular reviews of security policies encouraging vendors to help protect security researchers using #legalbugbounty on Twitter. [2] In fact, it appears that Amit was responsible for some of the changes to Dropbox' security policy: https://twitter.com/d0nutptr/status/973322158351921152. Well done, Dropbox and Amit!
This sounds like something along the lines of password reset poisoning as described in James Kettles' technical write-up "Practical HTTP Host header attacks". [1]
Unfortunately, I cannot disclose any further details until GitLab give me permission to do so. All that I can say is that GitLab has certain features for custom domains that GitHub does not have. I plan on publishing a technical write-up once everything has been resolved.
Is this related to the issues recently discovered with the TLS-01-SNI validation method for TLS certs?
Looking over how GitLab handles setting up custom domains[1], it's pretty clear they were affected by that. I thought it was pretty much decided that's more a problem with the Baseline Requirements than with individual service providers like GitLab though. Mozilla even went so far as to forbid CAs from using two of the Baseline Requirement validation methods as a result of that vulnerability[2]. Assuming the CAs comply this shouldn't be an issue anymore, right?
I am the security researcher that reported this issue to GitLab. There is more to the issue than is described in GitLab's security advisory and it was definitely a design flaw on GitLab's part. Hopefully, more details will be published soon.
Once I feel comfortable with my understanding of the subject material, I start to think about how certain aspects of the technology could lead to security flaws or interesting areas of research. At times this may require out-of-the-box thinking or can even be the result of pure luck.
The "bug bounty" aspect of this all tends to come into play once I want to find case studies for my research.
[1]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60f...
[2]: https://portswigger.net/research/top-10-web-hacking-techniqu...
[3]: https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here...