<death threats for bug bounties image> (https://myasides.com/bug-bounty-programs/)
So occasionally I get into it on Twitter with the bug bounties crowd, and they call me a hater. But mostly what I hate is the hype around bug bounties. . . which is considerable. If you've been dipping your toe into the policy world you can't avoid it, but even from outside there you get to see the DoD launch a bug bounties program (at INFILTRATE no less!). And of course Mark Litchfield and a handful of other people have invested heavily in it as a lifestyle. :) But it's fun to look at where the real inefficiencies are in penetration testing - and it's not in project management or the salaries of the penetration testers or the validation overhead. It's largely in the scoping process, which has less information available for both parties. There's possibly a bit in the reporting, which is why every bug bounty system normalizes that with a web app, but in many cases this results in losing the value of the subjective strategic analysis a penetration tester has done. Probably the most interesting thing about bug bounties has nothing to do with finances (which I think don't favor bug bounties at all once you look at it in depth), or the continual stream of CSRF bugs you're going to get in your inbox, but how you can build a whole community of people who CAN hack, but never have. It's simultaneous evolution at work and it's totally fascinating. Is there anyone in P0 who has never had a shell on a box they weren't supposed to (or written exploits for that purpose)? -dave
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
