Profile picture
Heat Miser 🙄 @H_Miser
, 16 tweets, 2 min read Read on Twitter
I keep seeing all these tweets about bug bounties I can’t bear them anymore... I don’t like at all what bug bounties are becoming !
From my point of view, bug bounty is a way to tell researchers that your are mature enough and intelligent enough to receive alerts about vulnerabilities on your system.
It says “don’t worry you won’t be sued and we will award you if your findings are cool enough” and it’s also a way to protect the company by setting up limits and rules for these guys !
But what is bug bounty now ? Mostly a few guys spending their week end and nights finding every vulnerability they can ! Not only cool vulns or interesting one. They’re doing it in a batch way !
So what’s the goal ? Being ranked in the top 10 bug hunters. Based on what ? Money or total bugs found. It sucks !
Most of the bug bounties companies also ask their hunter to tweet about their rewards, proposing them another bounty for that...
Some IT security firms also ask their experts to spend some time on bug bounties when they’re not working for an official client.
We see also some hunters bragging about the bounties they earned, even looking for techniques to avoid to pay taxes on them.
Some of them also keep secret some vulns they use every time, or they report them to their client but not to the editor (if applicable)
All this sucks. Bug bounty programs are not pentests. Most of the companies I know are not mature enough to manage that or don’t have a dedicated team to do that.
Most of the companies must start by giving more credits to their internal security teams and allow them to be visible and reachable DIRECTLY (not via a communication team) by anyone !
If you do not trust your internal team and allow some random external guy doing some research it’s a pretty bad signal you’re sending here.
If you agree to pay a few K for an Xss It’s a pretty bad signal too (for internal team or pentest contractors)
To conclude bug bounties programs are great but use them correctly, you don’t need one because everyone are talking about it.
And dear bug hunters, please remind humble for god sake! It’s not because your findings are more visible than those you find during a standard pentest you must start bragging about them (and hint, some of your “clients” may read it and dislike it).
(0h gosh I do need an edit button now... my phone and my brain did some pretty ugly mistakes in this thread)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Heat Miser 🙄
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Keep seeing these arguments that Tuesday was a rebuke to progressive candidates. I don't see any way to read it that way except for being incredibly facile. It turns out that Democrats--progressive or moderate--have a hard time getting elected in right-wing districts. Who knew!
The only thing that might be challenged by this result is the idea, which does exist on the left, that really economically leftist Democrats can pull in right-wing voters on a populist message. Probably that's not going to work anymore, if it ever did.
What I fail to see is the idea that there is a desire for moderate candidates instead of progressive candidates. I don't think the vast majority of voters are looking at anything else but the political party when they make their choice. So might as well nominated progressives.
Read 3 tweets
Profile picture
Keep seeing this ‘No Arrest No Prosecution’ thing, by people who don’t really care for the truth. One of biggest myths of 2018. In every one of these States people have been arrested & are being prosecuted. One example: Zamfara, 117 arrests: google.com/amp/s/www.vang…

A #Thread
I think the starting point for commentary like this is to say that no death of any Nigerian at the hands of bandits & criminals is acceptable or justifiable. Even a single death is one too many. And one of the primary responsibilities of any Govt is security. That’s not in doubt.
So, this matter of ‘No Arrests No Prosecutions.’ It’s very far from true. The simplest of Google searches puts the lie to it.Also the Police regularly put out statements on large-scale arrests. I’ll share more links as part of this thread. This from Kaduna google.com/amp/s/punchng.…
Read 14 tweets
Profile picture
Let me just put these next two #tweets in sequence.
China Assigns Every Citizen A ‘Social Credit Score’ To Identify Who Is And Isn’t Trustworthy newyork.cbslocal.com/2018/04/24/chi… via @CBS (local #NewYork) #Censorship #Orwellian
Facebook has TRUST ratings for users – but it won't tell you your score thesun.co.uk/tech/7067261/f… via @TheSun #Censorship #Orwellian
Read 14 tweets
Profile picture
Researchers: This is your regularly-scheduled reminder that if you are measuring gender in a survey, your options should not be "Male" "Female" and "Transgender". That makes no sense. Here's why:
First, ask yourself what you are really trying to measure with a gender item. Are you looking at how gender identity is related to the subject of your study? Are you interested in a person's biology? Are you not sure? Make sure you have a precise idea of what your variables are.
For example, are you doing a study where a participant's gender identity matters, ask about their identity, not their sex. If you are interested in something biological, ask whether participants have the anatomy/hormones/etc you are actually interested in. Be direct and clear.
Read 19 tweets
Profile picture
I woke up in the middle of the night thinking about the Honduran man who killed himself after being separated from his wife and three-year-old child. 1/13
Every parent knows the feeling that overtakes you every now and then when you realize how absolute and total your love is for your kids. 2/13
It's a scary feeling in a way. You understand how vulnerable you are because of it. What a risk this feeling presents. 3/13
Read 13 tweets
Profile picture
Seeing lots of tweets on the "decline" of history as in the US measured in terms of (i) fewer students; (ii) fewer faculty positions; (iii) perceptions that it is not good for job prospects.
This seems to be the case but it is puzzling from a non-US perspective. In the UK, history was (and is?) seen as one of the best degrees for entering high powered jobs in law and politics.
The degree of the recent and longest-serving Chancellor was in history (George Osborne) & I know many people history degrees or masters in econ history who have gone on to high powered jobs.
Read 7 tweets

Trending hashtags

#LatinAmerican #immigrants #PeakTV #FreeSpeech #Revolution #IAmBecoming #corporate #education #BaaS #MarmaladeBoy #YouTubers #Trump #HappyFathersDay #EIP1337 #worldbuilding #MBep9 #institutions #45DaysOfElvisCostello #NewYork #Halloween #environment #Brieven44 #Soviet #SocialMedia #chc17

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!