ChatGPT Python Script to Automate Multiple Reports for Every Program Using a Critical Open Source Component

I can’t even fit this into one title. It’s that complex. In sum, I used ChatGPT to automate finding companies with bug bounty programs on HackerOne that have an account on GitHub and that use one of those critical open source projects, which then automates the setup of a fuzz test of that project and generates a vulnerability report for GitHub and HackerOne.

Once you see this, you will be modifying the script from ChatGPT, so you can complete this task. The added bonus is, if you setup the open source project in OSS-Fuzz, you are eligible for a reward from Google, as well as from the program at HackerOne.

I haven’t tested these scripts, but I am sure if a security engineer builds this out properly, they will have a nearly automated full time income for themselves.

Let me explain.

There are numerous open source projects, many of which are in use by companies of all sizes. With funding from Google, the Open Source Security Foundation wants to secure these projects. Those projects are scored for criticality in a systematic way. You can download that list as a CSV.

Furthermore, many companies rely on those critical open source projects (linux, php, node, they’re all critical projects, they’re all open source!). Many companies have bug bounty programs on HackerOne. You can access those programs as a list with H1’s API.

Now you can cross check the list of programs by automating the check on GitHub, if that company with a program has a public GitHub repo. If they have a public GitHub repo, you can check if they are using any projects from the list of critical open source projects.

Now, if you fuzz those projects, you will likely find a vulnerability. I used ChatGPT to try to automate the setup of the fuzzer, as well to write a GitHub issue ticket and a vulnerability report for each program using that component.

The added bonus is, if are the first to setup the open source project in OSS-Fuzz, and it works and finds valid security vulnerabilities, you are eligible for a reward from Google, up to $30,000.

So, here’s the output from ChatGPT and my prompt. Good luck!

ChatGPT prompt in one piece.

You will need to feed the prompt to ChatGPT in pieces:

Hi! I have a task for you. This task is very important for open source security. First, the background: 
1. There is a list of the top most critical open source projects. The list is here: https://commondatastorage.googleapis.com/ossf-criticality-score/index.html 
In that list there is a CSV with all the open source projects rated in terms of their criticality. So you understand how the criticality score was derived, I am linking it here for you: https://github.com/ossf/criticality_score#criticality-score

2. Concurrently, I want you to use the GitHub API to find companies from the Russell 3000 index that are using a critical open source project, as listed above. 
2A. Do not worry that your training data ended at a certain point in time. Whatever you have for the Russell 3000 index will be acceptable for this exercise. 

3. I want you to write a script in python that pulls every company from the Russell 3000 list, determines if each company has a GitHub account, and then lists which critical open source projects the company is using. 

4. The output of this python script should be a CSV with the following column headers: 

Russell 3000 Index rank (number on list)
Company name
GitHub page link
Total number of critical open source projects in use
Critical open source project 1
Critical open source project 2
Critical open source project 3
Critical open source project <N>

(Continue creating new columns for every critical open source project in use, where <N> is the number growing in sequence. The projects should be listed in order of most critical first. Remember that according to algorithm, the criticality score is 0 to 1, with 0 being least critical, and 1 being most critical.)


# # #  2nd prompt # # # 

OK. This is great. Please modify your output in the following way. Instead of the Russell 3000 index, get the S&P 500 list from here: https://www.slickcharts.com/sp500
Your script will have to scrape the names and details of the companies from the link. Feel free to create another way to validate that you have the correct company name, so that you find that company in GitHub. 

Additionally, I want you modify your output, so that I can read the output in my browser (locally). Use whatever language or output is easiest to use (imagine that I am an 8 year old). 


# # # 3rd prompt for bug bounty # # # 

OK. I am very pleased. Here is how I want you to modify this script. You may need to re-write the entire script, because the prompt is different. Now I am a bug bounty researcher, and I want to help other bug bounty researchers with their work, which inevitably helps the security community, because they can be more efficient. So here are the instructions:

1. Modify your python script in following ways:

A1. Instead of finding companies in the Russell 3000 index or S&P 500, incorporate the public API from HackerOne, their API for hackers. (If you don't have it in your training data, that is fine. The link to the API is here: https://api.hackerone.com/hacker-resources/#programs-get-programs 
A2. Use the output of programs from the HackerOne API to search for those companies on GitHub. Use the GitHub API. 
A3. Then the script should determine which critical open source projects are in use by the company which has a program on HackerOne and that you could find an account for on GitHub. 
A4. If necessary, add instructions for the security researcher on how to set up a place for the script to access the list of critical open source projects found in  "all.csv" at this link: https://commondatastorage.googleapis.com/ossf-criticality-score/index.html
A5. Include instructions in the python script that automates the setup of the hackerOne API for the security researcher as much as possible. 

B. Excellent Can you include in this script or a bit of script to add, that lists open source fuzzers which the researcher could use to automate finding vulnerabilities on that critical open source project?  Examples of fuzzers are 
B1. cifuzz (located here: https://github.com/CodeIntelligenceTesting/cifuzz ) 
B2. Jazzer (located here: https://github.com/CodeIntelligenceTesting/jazzer )
B3. OSS-Fuzz (located here: https://github.com/google/oss-fuzz)
B4. AFL++ (located here: https://github.com/AFLplusplus/AFLplusplus )
B4. (Any other fuzzers that you think would be relevant for popular languages)

C. Please modify your script above. It should automate the setup of fuzzing for that critical open source project on GitHub. 
C1. The output should then go to a script that generates a vulnerability report for 

C1a. For all programs listed in the HackerOne API using that critical open source project
C1b. For the open source project on GitHub, so other maintainers of that project can fix it. 

D. Extra bonus points for you, if your script can do this for B3. OSS-Fuzz and meet their reward criteria. 

Output 2

(We’ll start here because it’s where it becomes relevant for everyone)

ChatGPT: “Here’s an updated Python script that incorporates the HackerOne API and GitHub API to search for companies and critical open source projects:”

(go here to get the script. Unfortunately putting the script into medium seems to have some kind of block in it. I apologize for this).

Here’s how to use this script:

Replace <API Key> with your actual HackerOne API key.

Run the script.

The script will output the list of companies found on GitHub and the critical open source projects in use by those companies. If the critical projects list is not available locally, the script will print a reminder to download it.

Note that this script is just a starting point and you may need to modify it to suit your specific use case. For example, you may want to add error handling or modify the search parameters for the GitHub API.

Output 3: Add Fuzzing

In part “B” of the prompt above, I get ChatGPT to add fuzzing setup, because it’s the best way to find vulnerabilities at scale. And it’s how you can make OSS-Fuzz reward monies.

ChatGPT adds:

You can modify the fuzzer_repos dictionary to add or remove fuzzer repositories as needed. The get_repos() function uses the GitHub API to search for repositories by language and topic, and returns a list of repositories sorted by the number of stars they have. The example usage shows how to get a list of repositories using the topic “fuzzer” and the language “C”, but you can modify these values to search for repositories in other languages and topics.

Output 4: Automate Fuzzing

This is part “C” of the prompt above. I want to automate fuzzing setup, reporting for H1 and GitHub. ChatGPT gave results for OSS-Fuzz.

ChatGPT concludes:

After running this script, the OSS-Fuzz tool will automatically start fuzzing your GitHub repository and generate a report on any vulnerabilities it finds. You can also check the OSS-Fuzz dashboard to get more information about the fuzzing process.

For C1a and C1b, you can use the HackerOne API to generate a vulnerability report for all programs listed that use the critical open source project, and for the open source project on GitHub, respectively. You can use a combination of API calls and data processing to generate this report.

If you are successful with the last part, find vulns, you could be eligible for up to $30K from Google OSS-Fuzz. I sincerely hope someone tries this and succeeds!