is there a site/account dedicated to aggregating all the bug bounty submissions / #security “research” that’s of the class:
“just discovered this WILD #vulnerability!!! if u steal the username, password, 2FA code, and have local access to the machine, you can M o D i F y F i L e S 🤯🤯🤯”
=> More informations about this toot | More toots from shortridge@hachyderm.io
@shortridge
That would be the inbox of every small scale, self run, vulnerability reporting program.
Ask me how I know.
[#]infosec
=> More informations about this toot | More toots from pseudonym@mastodon.online
@shortridge
Tongue firmly in cheek. I know you already know the question and answer are rhetorical.
Glad I dont have to answer those any more.
=> More informations about this toot | More toots from pseudonym@mastodon.online
@pseudonym you'd be surprised how often I miss that questions are rhetorical (hint: it's all the time).
but, indeed, I've heard the ratio of useful bug bounty submissions to bullshit is abysmal, demoralizing, flabbergasting. used to be, however, that ppl perceived the dogshit deluge as worth it for the one submission that was an "oh fuck, thank the gods we learned this way."
is that still true? my "jk unless" conspiracy theory is the foremost value prop of bug bounty programs today is as an incident laundering tool 👀
=> More informations about this toot | More toots from shortridge@hachyderm.io
@shortridge
I think you are spot on.
It was a few years ago, but yeah the "oh my!" Entry was considered worth it for the drek to go through. No idea now, but I'd suspect with the rise of automated agents feeding unreviewed Burpsuite findings through LLMs, I'd guess it's not worth it any more.
=> More informations about this toot | More toots from pseudonym@mastodon.online
@pseudonym @shortridge answer: /dev/null
=> More informations about this toot | More toots from trouble@masto.ai
@shortridge yes, https://nvd.nist.gov/
It’s so many of them. So, so many of them.
Priv esc to root
Pre req: root
=> More informations about this toot | More toots from sawaba@infosec.exchange
@shortridge I would worry for the sanity of whomsoever was unfortunate enough to be responsible for that account.
=> More informations about this toot | More toots from dade@crime.st
@shortridge for a time there was “Infosec Reactions” by Aloria.
https://www.tumblr.com/securityreactions
=> More informations about this toot | More toots from osman@hachyderm.io
@osman @shortridge for a while, attrition.org was also calling out charlatans, right? Maybe all of them gave up because keeping up with the nonsense doesn’t scale fast enough?
=> More informations about this toot | More toots from freddy@security.plumbing
@freddy @osman @shortridge I don't think that approach would work because begbounty ppl just register new accounts every hour, you can't tie them to a persona.
Due to the scale of the problem I think it's more useful to use statistics rather than individual examples, and BB platforms do keep track of accepted/rejected numbers (I'm not sure how much of that is public though).
=> More informations about this toot | More toots from buherator@infosec.place
@buherator @osman @shortridge and it’s not entirely in the interest of the BB platforms to share aggregate data of their clients…
=> More informations about this toot | More toots from freddy@security.plumbing
@shortridge
I would contribute, even though our computer club doesn't have a bug bounty program we get wild emails sometimes.
One recent that stands out is "your big free software mirror has directory listings enabled!!!" Which was followed by aggressive emails about "you're exposing people's passwords!!!" since some files had "passwd" in the name. Like pam_passwd-x.y.z.tar.gz...
=> More informations about this toot | More toots from maswan@mastodon.acc.sunet.se
@shortridge you can create "bug bounty is going just fine"
=> More informations about this toot | More toots from WowSuchCyber@toot.zof.sh This content has been proxied by September (3851b).Proxy Information
text/gemini