New Security Communication Drill: The Bug Bounty Researcher's Perspective

Join us tomorrow for an interactive security communication drill that flips the script on traditional security exercises. Instead of focusing on the vendor side, we'll put participants in the shoes of security researchers navigating the challenges of vulnerability disclosure.

This hands-on scenario will challenge you to:

Navigate security assessments with limited visibility into internal architectures

Build credibility when you have less system context than internal teams

Communicate effectively through multi-layered teams (triage vendors vs. security engineers)

Balance respect for internal expertise while confidently advocating for your findings

Manage disclosure expectations under tight time constraints

Push for security improvements without full visibility into compensating controls

Whether you're a security researcher, bug bounty program manager, or security engineer, this drill offers valuable insights into improving communications in the vulnerability disclosure process from both sides.

Date: Wednesday, April 23
Time: 12pm ET
Location: Discernible Drills Slack

Subscribe to Join: DiscernibleInc.com/drills

If @Jhaddix says so, you can be sure.

Imagine a hacker who not only exploited zero-days to breach over 600 organizations but also played the hero by patching vulnerabilities for Microsoft. How does one person walk the line between cybercrime and cybersecurity?

https://thedefendopsdiaries.com/decrypting-encrypthub-a-cybersecurity-enigma/

#cybersecurity
#encrypthub
#bugbounty
#ethicalhacking
#cybercrime

90% of code will be writen by AI, they say...
And Bug Bounty Hunters...

A new security fund opens up to help protect the #fediverse

https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

Seeking signs of #cybersecurity posts on this platform. Or information on #pentesting #bugbounty what’s causing #databreach es and how to stop them.

I'm excited to share CVE Crowd's Top 5 Vulnerabilities from February 25!

These five stood out among the 352 CVEs actively discussed across the Fediverse.

For each CVE, I’ve included a standout post from the community.

Enjoy exploring!

world's least serious #bugbounty program used to protect one of the world's largest and most easily stolen piles of assets is a great case of "show me the incentives and i'll show you the outcomes".

whoever just stole $1.4 billion in crypto could have instead collected... $4,000 for reporting a vulnerability.

for comparison Apple and Google offer bug bounties in the $1 million+ range for compromising a phone.

this is not a serious industry.

I've just published my first article on my security research; starting things off light with a fun little content injection. :)

(This also happens to be the debut of a basic site generator I whipped up in Lua — long live the #IndieWeb, long live static HTML!)

https://bm.gy/qrinj

Hey, we even have a #Bugbounty Program, we are so secure!
The Bugbounty program:

Earlier this year, #google's Patch Rewards Program rewarded me with a generous $5k #bugbounty for fixing a denial-of-service vector in #golang most popular third-party CORS middleware library: rs/cors. I only had to port the implementation from my own library; a one-hour job.

https://github.com/google/bughunters/blob/main/patch-rewards-program/rewarded-patches/rs/cors/336848281.md

Why do people start hacking? Is it the payout? The clout? All of the above? @neurovagrant shares his thoughts with CyberNews here: https://cybernews.com/editorial/how-hackers-get-hooked/

Here's my #introduction long overdue!

Hi! I'm a software engineer during the day and #music #math #planners #stationery nerd during after hours :D

My interests:

- I play the guitar, now I'm moving to playing the bass guitar.
- #emacs and #orgmode. #lisp is growing on me.
- #machinelearning and #jupyter in general
- #statistics
- Mostly #manga nowadays and some #anime. And then I started to learn Japanese as a result.
- #drawing
- Recently got into #lockpicking and #locksport. Tried my hand at #bugbounty in the beginning of last year.
- #cooking
- #fashion
- #chess

I'm a big fan of #irc and #rss feeds as well. I like using Matrix too btw.

A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.

"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."

I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.

I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.

Just a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.

If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.

And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.

Bats Can No Longer Haunt Apple VR Headsets Via Web Exploit - Bug reporting doesn’t usually have a lot of visuals. Not so with the visionOS bug ... - https://hackaday.com/2024/06/26/bats-can-no-longer-haunt-apple-vr-headsets-via-web-exploit/ #virtualreality #softwarehacks #bugbounty #loophole #spiders #bats #bug #vr

I can’t go into too much detail, but I (co-)discovered quite a few XSS, SQLi and file inclusion bugs. Soon in will be the queen of @Hacker0x01 p1 bugs!
https://hackerone.com/entropythot #bugbounty #hacking #bugs #web

Companies should be obliged to pay #duplicate reports of #security issues in #bugbounty if they don't fix the issue within a timeframe (I'd say proportional to the severity)

I've had high reports triaged as duplicates of issue that are more than 5 months old and it's unacceptable