[Dailydave] Bug Bounties

dave aitel dave at immunityinc.com
Wed Feb 8 09:39:54 EST 2017

<death threats for bug bounties image>

So occasionally I get into it on Twitter with the bug bounties crowd,
and they call me a hater. But mostly what I hate is the hype around bug
bounties. . . which is considerable. If you've been dipping your toe
into the policy world you can't avoid it, but even from outside there
you get to see the DoD launch a bug bounties program (at INFILTRATE no
less!). And of course Mark Litchfield and a handful of other people have
invested heavily in it as a lifestyle. :)

But it's fun to look at where the real inefficiencies are in penetration
testing - and it's not in project management or the salaries of the
penetration testers or the validation overhead. It's largely in the
scoping process, which has less information available for both parties.
There's possibly a bit in the reporting, which is why every bug bounty
system normalizes that with a web app, but in many cases this results in
losing the value of the subjective strategic analysis a penetration
tester has done.

Probably the most interesting thing about bug bounties has nothing to do
with finances (which I think don't favor bug bounties at all once you
look at it in depth), or the continual stream of CSRF bugs you're going
to get in your inbox, but how you can build a whole community of people
who CAN hack, but never have. It's simultaneous evolution at work and
it's totally fascinating. Is there anyone in P0 who has never had a
shell on a box they weren't supposed to (or written exploits for that

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170208/12f43295/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bugbounties.PNG
Type: image/png
Size: 104843 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170208/12f43295/attachment-0001.png>

More information about the Dailydave mailing list