Profile picture
Heat Miser 🙄 @H_Miser
, 16 tweets, 2 min read Read on Twitter
I keep seeing all these tweets about bug bounties I can’t bear them anymore... I don’t like at all what bug bounties are becoming !
From my point of view, bug bounty is a way to tell researchers that your are mature enough and intelligent enough to receive alerts about vulnerabilities on your system.
It says “don’t worry you won’t be sued and we will award you if your findings are cool enough” and it’s also a way to protect the company by setting up limits and rules for these guys !
But what is bug bounty now ? Mostly a few guys spending their week end and nights finding every vulnerability they can ! Not only cool vulns or interesting one. They’re doing it in a batch way !
So what’s the goal ? Being ranked in the top 10 bug hunters. Based on what ? Money or total bugs found. It sucks !
Most of the bug bounties companies also ask their hunter to tweet about their rewards, proposing them another bounty for that...
Some IT security firms also ask their experts to spend some time on bug bounties when they’re not working for an official client.
We see also some hunters bragging about the bounties they earned, even looking for techniques to avoid to pay taxes on them.
Some of them also keep secret some vulns they use every time, or they report them to their client but not to the editor (if applicable)
All this sucks. Bug bounty programs are not pentests. Most of the companies I know are not mature enough to manage that or don’t have a dedicated team to do that.
Most of the companies must start by giving more credits to their internal security teams and allow them to be visible and reachable DIRECTLY (not via a communication team) by anyone !
If you do not trust your internal team and allow some random external guy doing some research it’s a pretty bad signal you’re sending here.
If you agree to pay a few K for an Xss It’s a pretty bad signal too (for internal team or pentest contractors)
To conclude bug bounties programs are great but use them correctly, you don’t need one because everyone are talking about it.
And dear bug hunters, please remind humble for god sake! It’s not because your findings are more visible than those you find during a standard pentest you must start bragging about them (and hint, some of your “clients” may read it and dislike it).
(0h gosh I do need an edit button now... my phone and my brain did some pretty ugly mistakes in this thread)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Heat Miser 🙄
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!