Brewly - Worldwide Marketplace

I have some questions and apologize if these have been answered somewhat but would like some clarification on a few things.

I took a quick look at your website, and I somewhat applaud you for the simplicity, and lacking open-source 3rd party plugins which all seem to be vulnerable and give a foothold into your server.



Editing the form isn’t anything. That’s not an exploit or vulnerability. But that member does bring up an interesting point. How do you handle the session? Cookies? What are you doing to protect the customer from session hijacking?


A few questions here.
1. How is your private key stored/protected? (You don’t have to go into detail here, but I am looking for some key words).

2.) This is encryption at rest. Meaning if someone acquired physical access to your servers; popped it open and plugged the hard-drives in, all they would see are random strings. I also see the website is using SSL which protects in transit. Good. This leads me to my next question


3.) Since you’re an “international marketplace” with vendors across the globe, how are you ensuring the end user/customer is connecting to a server location in which their country has 0 relation with?

4.) Non compliant servers are fun. Can you go into detail here? How are you going to handle the snooping ISP upstream that the (I’m assuming) data center they are colocated in?



A bug/exploit bounty program? I kind of like that. In fact, many of the big tech companies out there do similar. They don’t pay upfront, however if you find something they will pay you for reporting it. I’ve done this once or twice (legally) to make a nice little bonus check. Most would rather sell it to a shadow broker..
"I took a quick look at your website, and I somewhat applaud you for the simplicity, and lacking open-source 3rd party plugins which all seem to be vulnerable and give a foothold into your server."

Much appreciated, really.

"Editing the form isn’t anything. That’s not an exploit or vulnerability."
Of course, I was just showing people how to fake an exploit. With regards to session management, it's all vanilla with how Laravel handles it. That's gonna be the source for nitty gritty answers on that question.

1-2. In response to the encryption questions, I think this information is best explained/found by looking into the framework itself: Laravel.

What gets saved to the DB is encrypted, yeah. And yeah, of course naturally we have SSL.

Code:
https://laravel.com/docs/8.x/encryption

3. Well our servers are hosted in countries where AAS is legal.

4. You've lost me here, but I'll see if I can get back to you with a more compelling answer. What I can tell you is your shipping information is encrypted and also can be manually deleted by you at any time. No snooping ISP can just grab this data as you know, and that's what reality matters. All that being said, general safety rules still apply. Users should still visit the site with VPN and/or TOR, though I understand most won't.

And again the servers are in countries where data laws are very tolerant and AAS is legal.


Thanks. I really appreciate the non-accusatory tone and level-headed questions. I hope I've answered your questions to your satisfaction, or at least, directed you to the source of a better technical breakdown of the topics :)
 
@Brewly Can you post more specific terms of agreement for the bounty?

Does it only pay out if someone gets personal info?

There are many different malicious things that could be attempted besides getting private info, so some specifics will help prevent some drama and allow anyone attempting it to focus on your concerns.

Maybe even include specifics on how to collect, requirements, and so on.
 
The technical answers provided by brewly certainly haven't given me a boner. Getting keys is easier than picking a lock, so while Encryption is great, the keys gotta be safe.

But as I mentioned above, bounty hunters don't need help collecting their bounties. @DirectBullet didn't have shit. It would've taken 20 mins max to confirm he had their db or a way to access orders. After the vuln was exposed, bounty gets arranged before the know how gets revealed.
Any legit bounty hunter would secure their bounty before revealing the technical details lol
 
@Brewly Can you post more specific terms of agreement for the bounty?

Does it only pay out if someone gets personal info?

There are many different malicious things that could be attempted besides getting private info, so some specifics will help prevent some drama and allow anyone attempting it to focus on your concerns.

Maybe even include specifics on how to collect, requirements, and so on.

The never really was a bounty bounty was taken off the table and repurposed into a fund for paying someone with mad computer skillz to come onboard and work for the crumbling Drooly empire.
 
The never really was a bounty bounty was taken off the table and repurposed into a fund for paying someone with mad computer skillz to come onboard and work for the crumbling Drooly empire.
Oh I know, but I'm still asking. As it stands he can still attempt his argument. Would be nice to either A have specifics he can't deny when its really broken and we run his ass outta here or B get paid.

I would never work for that like that. 10 grand for a bounty is almost chump change. Big companies pay mad money because its cheaper to pay a white hat hacker to help them fix it in private than to deal with it being made public and all the legal ramifications that will cost way more.
 
The technical answers provided by brewly certainly haven't given me a boner. Getting keys is easier than picking a lock, so while Encryption is great, the keys gotta be safe.

But as I mentioned above, bounty hunters don't need help collecting their bounties. @DirectBullet didn't have shit. It would've taken 20 mins max to confirm he had their db or a way to access orders. After the vuln was exposed, bounty gets arranged before the know how gets revealed.
Any legit bounty hunter would secure their bounty before revealing the technical details lol

It doesn't work like that. Bounty hunters report the issue and then get paid, after the issue is reproduced and if it is considered in scope. For web security most of the time you use an intermediary like hackerone or bugcrowd. Even if you are selling 0day exploits, then you contact an intermediary which sells it to governments and companies. The same if you send a report to Google or Facebook. It's pocket change.

Brewly made 500$ in one month. They take 5% so they would need to sell 200.000$ through their platform to get the money to pay the bounty. If it was 100%, zero expenses, and everything went to me. They don't even have a review. It's a shitty Minimum Viable Product, with conflicts of interest as a source is also an owner, of course they don't pony up 10k when they don't know if it's going to be successful.

They did a false 10k bounty and it backfired.

They confirmed the issue, solved it.. I could very easily leak the data, but it wouldn't benefit no one. They had very few orders, so either the guys aren't members or decided to get some cheap tits from their provider.
 
It doesn't work like that. Bounty hunters report the issue and then get paid, after the issue is reproduced and if it is considered in scope. For web security most of the time you use an intermediary like hackerone or bugcrowd. Even if you are selling 0day exploits, then you contact an intermediary which sells it to governments and companies. The same if you send a report to Google or Facebook. It's pocket change.

Correct. I have never received payment for an exploit without doing a proper white paper on it and providing it to the client for review and confirmation. Only then have I been paid. Typically weeks after.
Brewly made 500$ in one month. They take 5% so they would need to sell 200.000$ through their platform to get the money to pay the bounty. If it was 100%, zero expenses, and everything went to me. They don't even have a review. It's a shitty Minimum Viable Product, with conflicts of interest as a source is also an owner, of course they don't pony up 10k when they don't know if it's going to be successful.
I see your point. But you don’t know how much they potentially have invested outside of sales. You can’t conclude they can’t pay a bounty based off the current revenue. I’ve been burned a few times by coming forward with a bounty for bigger companies, and having the platform resolve said issue and ghost me. It’s the nature of the volatile career. Some look at it as extortion while others are glad to pay for the resolution.
 
Correct. I have never received payment for an exploit without doing a proper white paper on it and providing it to the client for review and confirmation. Only then have I been paid. Typically weeks after.

I see your point. But you don’t know how much they potentially have invested outside of sales. You can’t conclude they can’t pay a bounty based off the current revenue. I’ve been burned a few times by coming forward with a bounty for bigger companies, and having the platform resolve said issue and ghost me. It’s the nature of the volatile career. Some look at it as extortion while others are glad to pay for the resolution.

I have been burned too, but for already reported issues. I know 10k isn't that much, been paid several times that. Only report issues to companies that have bounties, doing otherwise is looking for problems with law enforcement. For me it's a sidegig rather than a full time job.

Now that we talked. Why would I come here to spit nonsense regarding not being paid?

I believe Brewly is a single developer and then DO. They got cocky, should have taken a zero out of the bounty.. Building that website is an easy CRUD site with btcserver to process payments.
 
The technical answers provided by brewly certainly haven't given me a boner. Getting keys is easier than picking a lock, so while Encryption is great, the keys gotta be safe.

But as I mentioned above, bounty hunters don't need help collecting their bounties. @DirectBullet didn't have shit. It would've taken 20 mins max to confirm he had their db or a way to access orders. After the vuln was exposed, bounty gets arranged before the know how gets revealed.
Any legit bounty hunter would secure their bounty before revealing the technical details lol
"Getting keys is easier than picking a lock"
? You need direct access to the server. I don't see how you get this easily.
 
Drooly has a nice ring to it
tenor.png


It suits you well.
 
Don't revive this thread, he already had to bump it twice at different hours to get an answer.
This shitty project is dead.

Literally just saw this and am thinking wtf? Firrst ques - So who's responsible when someone finds a floater? The vendor or brewly? loll Is this just an easy way for vendors to avoid the intro process?
 
Last edited:
Literally just saw this and am thinking wtf? Firrst ques - So who's responsible when someone finds a floater? The vendor or brewly? loll Is this just an easy way for vendors to avoid the intro process?
We can hold a vendor's withdraws/payouts in this case, then we compensate affected buyers.

As for what happens to the vendor. It'd be on a case by case basis. But a temporary or even prolonged suspension is not out of the question.

It's not that wild of an idea guys. It's like a DNM but instead of narcotics, it's gear. One place for everything you need kind of deal. You can order from multiple vendors, you only pay once, and you can find updates for all your orders easily in the dashboard. Your reviews also have a direct impact on a vendor's ranking/visibility, giving customers a lot more power.
 
Last edited:
Made a small order from pharmahgh through brewly on Friday. Received my order today.
 

Attachments

  • 1F4928BC-A4B9-4347-A84B-79D472D49B9B.jpeg
    1F4928BC-A4B9-4347-A84B-79D472D49B9B.jpeg
    2.5 MB · Views: 101
We can hold a vendor's withdraws/payouts in this case, then we compensate affected buyers.

As for what happens to the vendor. It'd be on a case by case basis. But a temporary or even prolonged suspension is not out of the question.

It's not that wild of an idea guys. It's like a DNM but instead of narcotics, it's gear. One place for everything you need kind of deal. You can order from multiple vendors, you only pay once, and you can find updates for all your orders easily in the dashboard. Your reviews also have a direct impact on a vendor's ranking/visibility, giving customers a lot more power.
Okay, well that is refreshing to hear and thank you. There are some ugl I have never heard of , so I am assuming they're will be ratings soon?
 
I'm on the fence about this site, I get what you're trying to do, but I'm not sure if it's a good idea. Time will tell I guess.

With that said, you should put the "about" pages of each vendor on top of the vendor's main page.
Now it looks lost/hidden and having it in the menu makes it look like it's brewly's about page.
More gear images would be nice too, higher res preferably.

Good luck anyways.
 
Back
Top