Austin Sturm

@alxbrsn Yes. Think services that specifically provide this functionality or are supposed to provide security observability.

why is this a category on the H1 dashboard? if anyone has a legit paid bug under this category pls share the story

@NahamSec 😭 Me... reading clear AI slop that is explicitly allowed by the RFC

❌ RTFM ✅ Use AI instead

@stokfredrik Shrimp life. Sauna at home is my lifestyle end goal. packaged-media.redd.it/ilre6o1s7gbf1/…

@RepRichHudson Weird because Dominion Energy is actively increasing rates.

When gas is cheaper, groceries are too. It costs less to ship the food, so you pay less to eat it.

@albinowax This was the exact question in my mind.

Just to make it crystal clear, "HTTP/1 must die" refers to both HTTP/1.1 and HTTP/1.0. If you want to escape the chaos, you need HTTP/2+

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

i live and breathe amazon, literally everyday i am hacking on amazon. and i'll never stop :)

Just had to explain this to some folks. What timing.

@zack0x01 @Hacker0x01 Congrats.

@zseano Facts. D2 is only beat out by Warcraft 3 imo.

Taking a well deserved break from hacking (for how long I don’t know). Been playing lots of diablo2 & this game is still as epic as it was many years ago. Easily the best diablo released

I had so much fun recording this ep. My requirement was for @Rhynorater not to see the slides prior so what you see in the video are his genuine reactions as they happen live, from WTF to FOMO to "why did I not think of this before". Enjoy!

You know you're in West Virginia when even the fries have brown sugar.

I’m SO stoked to finally announce @DistrictCon - a new DC hacker conference, bringing together hackers across industries to do cool sh*t 🎉🪩 (Feb 21-22,2025) DistrictCon.org/get-notified

@pry0cc You know the answer is no lol

@MerrittBaer Hope to see you there!

I’ll be at blackhat/defcon and I have a few golden tickets. You want to catch me? You do.

Okay real talk: if your only motivation to get into #BugBounty is money, you’re not going to make it as a bug bounty hunter. It’s not enough to get through the time it takes to learn, the hours on a single website to find a single bug. Money AND is okay but money alone is just not enough. No one decides to start painting to solely be a famous painter. The act of painting soothes something in their brain, maybe it makes them calm, allows them to get their thoughts into reality, or just the satisfaction of representing something as it truly is. Fundamentally that is what a hobby needs to do it needs to scratch an itch in your brain. And I’m not saying that people shouldn’t get paid for bugs. Just because you’re a painter doesn’t mean you go and paint portraits of rich guys for fun, you paint what brings you joy first. Money alone will kill your motivation, it might look good to be self employed, be your own boss etc but what happens when that bug doesn’t pay out because a client is slow? Or you spend hours and find nothing? If money is your only motivator you will get a job because at least it’s reliable. Now bug bounty does change people’s lives, people genuinely are making crazy salaries from it. It’s completely changed mine, but I didn’t go into it for money, I did it because it was fun, it was a challenge and it scratched the itch I had to figure out how things work. But beware of those who try to present that as the norm, most hackers, myself included are not millionaires and none of us got into this because we aimed to be one. If you’re stuck finding your first bug, and getting frustrated, reading articles and pasting other people’s payloads only for them to not work? Have you considered that you may not like this hobby? I want to make it super clear this doesn’t mean companies get off the hook of paying hackers because they want to do it for fun. Pay the people for their labour, resolve vulnerabilities in a timely manner to avoid duplicates, and don’t treat VDPs like BBP with the incentive of points. But that you can’t answer “why do you want to do bug bounty hunting?” With anything other than money/finance/status related answers it won’t be enough for you to get past the learning all the hard bits. There’s your #bugbountytip

@MerrittBaer Planet money, wait wait don't tell me, radical candor, fall of civilizations, conflicted, in our time

Ok I have caught up on all my podcasts 😢😹😭Please send more recommendations

@Frichette_n 🫣

ATTENTION: THIS IS NOT A DRILL! "public facing security program" in a job listing for a TPM for a "AWS Bug Bounty". AWS Public Bug Bounty confirmed? LEEEEEETTS GOOOOOOO!!!!!!! amazon.jobs/en/jobs/240156…

@sshell_ I bought one awhile back as well, I tried to use it and gave up. I need to dedicate time to it when I am not busy, the productivity loss was too great for me to overcome at the time.

i must now learn how to type all over again

Today @bugcrowd, we're expanding our product line to offer VDP's for free bugcrowd.com/blog/introduci…, marking the next evolution of our VDP product, following our removal of incentives some time back. This marks a change in the industry, providing a no cost entry point for customers to build up reporting portals, to support hackers in bringing vulnerabilities to them, in a fast, and effective manner. It also allows customers to build exposure to the value of the hacking community, and then pursue other offerings in the managed bug bounty space, or pen testing space, in a paid model, that incentivises findings and discovery, whilst VDP is intended to capture existing known findings. Also, hackers, we hear you, we love you and we know there's more to change around VDP's. This isn't our only change. We're aware of the need to change terms for them, and it's currently an active discussion, as well as better separating VDP from MBB which we've done by removing incentives, and having this offering not list in our program portals. If you've other feedback, we would love to hear it, and welcome it - my slack is always open and you can reach me on HIVE, Bug Bounty Forum, or here over DM

@Stef_van_Dop Happy to talk actually. I have us sponsoring the H1 IBB which is specifically around helping open source projects and maintainers find security issues. hackerone.com/ibb

So how do we prevent the next XZ thing? Serious resources for linux/packages, companies making billions of it (hi aws/google/microsoft) can pay a few million supporting the actual open source devs that make linux go brr. Like a bounty program for security fixes?