Hacker-Powered Security
Show notes
If anyone ever wants to ask Ben any questions about bug hunting, bug bounty programs, you're always welcome to reach out to be Ben at @NahamSec, https://nahamsec.com/ and on his Discord
Key topics on Access Control Podcast: Episode 7 - Hacker-Powered Security
- Bug bounty programs and vuln disclosure programs are similar, except the first pays and the second doesn't.
- The scope of bounty programs usually encompasses a company's main application where the production sites are happening. What is out of scope is mostly third parties.
- Rules of engagement depend on the bug bounty program and the company.
- Some programs pay for credential stuffing, but not for phishing since companies don't want you to phish their employees and customers.
- How much hackers are paid in a bug bounty program is entirely up to the company and depends on its budget.
- Determining the bug severity level depends on a combination of the vuln type and how critical it is and the asset itself.
- Hackers care more about how fast they get paid than about how quickly the company fixes the issue.
- A bug bounty program doesn't make you a bigger target.
- Building a public bug bounty program depends on the product and size of the company.
- Improve Input validation to reduce bugs created
New comment