Dalus

How did it end up like this?

@tryhackme Ligma is pretty good.

____ is the best TryHackMe room? 👀

I wonder what the intersection is between those crying about AI and bug bounty being dead, and those that bought courses on how to do bug bounty. #bugbounty #thoughtfortheday

@0xConda Showing the desperation is the key.

If you beg hard enough the bounties will come

@GamewithDave Z

For anyone who used a computer between 1990 & 2005… what’s the one game you still think about?

@irsdl They are becoming more sentient, you need to say please.

Are you AI? Then prove it! 😂

@hakluke It'd be fair for the platform on request. Researchers get a bit emotional. It'd help build trust in the platform and the program - trust isn't just about the researcher. If many bugs are dup, does program see value? Seems smart to follow up for platform on this point too.

Bug bounty question: If you submit a bug, and it gets marked as an internal dupe because "the team already knew about it", is it fair to ask for proof?

@monkehack I think the ultimate end goal is trying to go near-full AI - less researcher spend and more money in the bank. Synack has a similar idea.

HackerOne and Bugcrowd are pentest shops these days, and bug bounty is increasingly becoming a smaller focus for them. Ultimately, though, they both still rely on the community of hackers to give their offerings any value - it’ll be interesting to see where this is all going.

@_RastaMouse Just like the olden days when people used to use SBS.

Realistic AD environments that have all these 'vulnerabilities' packed into just 2 machines...?

It also didn’t help seeing how few of the “trusted few” pushed back, even with early access to feedback. If Synack is a main income source, it’s probably time to look elsewhere. If you’re just gaming missions, you might be fine. Here are my YoY results.

Alongside this was a shift to a mission-based pentest model that feels increasingly exploitative, especially when you factor in the time investment versus what you’re actually paid.... (2/3)

This year I spent most of my spare time hacking with #SynackRedTeam, but eased off later in the year after some awful changes to "short" tests resulting in less clarity on payouts and reduced pay for more effort... (1/3)

IDK why they removed this, gave them some credibility tbh 🤣

NEED YOUR HELP! My Friend/Teacher Soroush (@irsdl) Is looking for a new company to join, you know him as the .NET-God, the guy who has popped exchange, sharepoint, has maintained ysoserial_.net for years, contributed to the exploitation scene numerous times, taught all of you about what .net ghost webshells are, taught you about what viewstate exploitation is, how .net remoting exploitation issues can be solved, iis cookieless, web_config exploitation, countless of blogs, talks, techniques,... but companies keep saying: "we aren't hiring right now!" if i was in position of hiring, woudln't wanna miss out on having one of THE BEST in my team you're retweet is Extremely appreciated ❤️‍🔥 soroush, if you see this, don't hate me, had to do it without telling you

As someone who has to to muck in with IR, thrunting and the like... it amazes me how many times it starts with with the most clearly dodgy looking phishing email. 😭

Couple of weeks without finding a bug and I feel like I've forgotten everything I once knew. I need some #bugbountytips and some bug bounty courses ASAP.

@BuildHackSecure Bro, that was a private DM 😭

LinkedIn profile: penetration tester, security researcher, bug bounty hunter. LinkedIn DMs: Will you be my mentor…

@irsdl That's why I use the word 'void', because it's a big black box if you're using someone else's service. You can only hope they do the right things 😂

@irsdl And to that end, say do plug in to your own "thing", how can a business be sure your controls are sufficient to safeguard whatever was kept. And what's to say how another company uses it. Needs a lot of thought for enterprise use.

Among web app security tools like #BurpSuite and #Caido, it seems that whoever nails AI integration fastest will win the race this year. I like the idea of Burp AI, but only if I can choose which AI model to use. Will Caido be the first to get it right? The goal is to have a simple agent or button -similar to those in coding IDEs- with access to request/response data, capable of performing tasks such as researching, sending requests, opening a new tab with a fresh request, updating the current request, or answering relevant questions. What do you think?

@irsdl It's not something you can necessarily control, either.

@_d4ly_ It is not a void ... 🤭