<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<img alt="<death threats for bug bounties image>"
title="<death threats for bug bounties image>"
src="cid:part1.01566A20.8DDE072A@immunityinc.com" height="262"
width="727"><br>
(<a href="https://myasides.com/bug-bounty-programs/">https://myasides.com/bug-bounty-programs/</a>)<br>
<br>
So occasionally I get into it on Twitter with the bug bounties
crowd, and they call me a hater. But mostly what I hate is the hype
around bug bounties. . . which is considerable. If you've been
dipping your toe into the policy world you can't avoid it, but even
from outside there you get to see the DoD launch a bug bounties
program (at INFILTRATE no less!). And of course Mark Litchfield and
a handful of other people have invested heavily in it as a
lifestyle. :)<br>
<br>
But it's fun to look at where the real inefficiencies are in
penetration testing - and it's not in project management or the
salaries of the penetration testers or the validation overhead. It's
largely in the scoping process, which has less information available
for both parties. There's possibly a bit in the reporting, which is
why every bug bounty system normalizes that with a web app, but in
many cases this results in losing the value of the subjective
strategic analysis a penetration tester has done.<br>
<br>
Probably the most interesting thing about bug bounties has nothing
to do with finances (which I think don't favor bug bounties at all
once you look at it in depth), or the continual stream of CSRF bugs
you're going to get in your inbox, but how you can build a whole
community of people who CAN hack, but never have. It's simultaneous
evolution at work and it's totally fascinating. Is there anyone in
P0 who has never had a shell on a box they weren't supposed to (or
written exploits for that purpose)? <br>
<br>
-dave<br>
</body>
</html>