If you were to compromise these sites, you could theoretically access the systems used to manage all domains under the TLD which would be very, very, very bad. As of now, I don’t feel that these TLDs are getting adequate attention and many other TLDs may suffer the same issues as the “.to” TLD.
There are some programs, however, which will honor simply the impact and payout for vulnerabilities in third-party assets or things like TLDs. Additionally, there are some platforms like HackerOne which offer “The Internet Bug Bounty” program which pays for vulnerabilities in projects like Nginx, Django, Ruby, and Rails, but these are a long shot from being able to satisfy the entire ecosystem.
The bottom line is that there are over 1,500 different TLDs with many having their own custom DNS registrar websites. Many do have bug bounty or vulnerability disclosure policies, but as a researcher trying to play by the rules, are the incentives really there to hack them and will they even let you?
Credit and Disclosure Timeline
This vulnerability and writeup was a collaboration between the following:
The vulnerability disclosure timeline was as follows:
October 8th, 20:00 CEST: Vulnerability discovered and reportedOctober 9th, 19:00 CEST: Contact with Tether and Tonic regarding bugOctober 9th, 20:00 CEST: Vulnerability attempted fix #1 by TonicOctober 9th, 20:30 CEST: Vulnerability fixed by Tonic, confirmed fix
Support the originator by clicking the read the rest link below.
