In our recently published report on the bug hunting community, we asked all kinds of bug hunters what motivates them to participate in bug bounties, and how they decide what programs to participate in. Amongst several of the groups identified in the report, time was a huge factor. With a full-time job, family and a social life, how does one fit bug bounty hunting into their busy schedule?
Over the past four years that we've been helping organizations connect with the world's top security talent to run crowdsourced security programs, a lot has changed. In our recent State of Bug Bounty Report, we examine that change with proof that more traditional organizations adopting the bug bounty model, more private programs being run, and so on and so forth.
The crux of that change, however, lies in the community. Whether you call them hackers, bug hunters, or security researchers, they make the bug bounty world go 'round. As this niche grows and evolves from the small group it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely.
Follow Vishnu on Twitter: @Vishnu_dfx
Now that we've rested our feet, drank some water, and adjusted from the Las Vegas time warp, we thought we'd give a brief recap of our week. In the six days we spent boots down in Vegas, we caught some great talks with some of our favorite people, threw, sponsored and attended awesome events, and as always, met amazing folks from the InfoSec community.
Putsi is #38 on the community leaderboard, with a 97.14% acceptance rate and an average bug priority of 3. Putsi just recently entered the top 40 on Bugcrowd and has had success with many private and public bounty programs on the platform.
Read below for our interview with Putsi and make sure to follow @Putsi on Twitter.
Nikaiw is #58 on the community leaderboard, with a 96.88% acceptance rate and an average bug priority of 2.37. Nikaiw has been on Bugcrowd for less than 6 months and in that time he's found 31 valid vulnerabilities, with 10 of those being P1's.
Read below for our interview with Nikaiw and make sure to follow @Nikaiw on Twitter.
For me, one of the most enjoyable aspects of the security industry is the security community. The relationships I've been fortunate enough to build over the past couple of years have made this job very rewarding and of course, a ton of fun. I recently had the chance to record a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter to discuss our experiences in the security community:
Fuzzybear is #43 on the community leaderboard, with a 100% acceptance rate and an average bug priority of 2.55. In the short time he's been on Bugcrowd and in bug bounties he has done quite well, successfully finding 65 bugs on Bugcrowd bug bounties, most of which was through private bug bounty programs. He also has one of my favorite usernames in the community!
Read below for our interview with Fuzzybear, where he shares some great practical advice for researchers.
This week’s Researcher Spotlight is on Mico! Mico ranks #5 on Bugcrowd’s leaderboard with over 1926 kudos points, 266 bugs found, a 91% acceptance rate and an average bug priority of 2.92. In a relatively short period of time we’ve seen Mico climb his way up the charts. Mico can be found on Bugcrowd and you can follow him on Twitter at @bugtest0101.
Take us back to your early days, what got you started with technology?
This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify
TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.
For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.
It's a freaking XSS, but hey, the story is what counts, right..? :)