Hacker-Powered Security

Show notes

If anyone ever wants to ask Ben any questions about bug hunting, bug bounty programs, you're always welcome to reach out to be Ben at @NahamSec, https://nahamsec.com/ and on his Discord

Key topics on Access Control Podcast: Episode 7 - Hacker-Powered Security

  • Bug bounty programs and vuln disclosure programs are similar, except the first pays and the second doesn't.
  • The scope of bounty programs usually encompasses a company's main application where the production sites are happening. What is out of scope is mostly third parties.
  • Rules of engagement depend on the bug bounty program and the company.
  • Some programs pay for credential stuffing, but not for phishing since companies don't want you to phish their employees and customers.
  • How much hackers are paid in a bug bounty program is entirely up to the company and depends on its budget.
  • Determining the bug severity level depends on a combination of the vuln type and how critical it is and the asset itself.
  • Hackers care more about how fast they get paid than about how quickly the company fixes the issue.
  • A bug bounty program doesn't make you a bigger target.
  • Building a public bug bounty program depends on the product and size of the company.
  • Improve Input validation to reduce bugs created

New comment

Your name or nickname, will be shown publicly
At least 10 characters long
By submitting your comment you agree that the content of the field "Name or nickname" will be stored and shown publicly next to your comment. Using your real name is optional.