mongo

@mongobug is the greatest

@justdionysus Solved it (a friend sent it to me) and it was pretty fun and different :) ty

Well, here's a goofy reverse engineering challenge I started a year or two ago and "polished" up last night (I'm sorry it's JavaScript but that's part of the point): gist.githubusercontent.com/justdionysus/d… Please solve it and let me know if it's dumb or boring.

@Masonhck3571 I will wait until 7am next time.. but still, any updates?

I can’t believe people are calling me on Instagram at 2am because they don’t like their triage decision. Please don’t ever do that

@zseano @alxbrsn @CaidoIO 1.7 is the real Burp, feels like home

@alxbrsn Alllll the fucking time , even suggested fixes didn’t do anything. Went back to burp 1.7 and don’t have any problems. Check out @CaidoIO , I think it’s going to replace burp in the future :)

so am I the only one who's gotta restart burp like 10 times a day 'cause it starts glitching like this?

@harshbothra_ @jstnkndy

Tell us who your favourite security hero is and I'll invite them to share their story on SecurityStories.

@jobertabma @Hacker0x01 @jstnkndy

I’m giving away a Burp Suite Pro license! A Pro license auto renewed and the hacker that I personally sponsored makes enough money from @Hacker0x01 to afford it themselves 🎊 Mention someone that deserves the license in the replies to this tweet and I’ll pick someone in 24h.

@PrincessYadhavi @jobertabma @Hacker0x01 You're right but I can't edit :D it should read, 10 crits and 5 lows should not rank lower than just 10 crits

@mongobug @jobertabma @Hacker0x01 You are drunk. Go home. 10 crits and 5 lows == 10 crits and 5 lows

Apparently people are now holding on to low-medium-high bugs and submitting only crits because otherwise they get less invites on BB platforms? (heard this about H1, but probably true for others). Algorithmic failure if so

@Hogarth45_ Well, the algo is wrong then. 10 crits and 1 xss is not worse than 10 crits. That was my point :) appreciate the extra insight

@mongobug Gotta keep the impact above 22 if you want an invite to an event. Why report an xss for $250 and miss out on an event to get $20k+ hackerone.com/community-blog…

@Blaklis_ @njcve_ As the french ambassador can't you get him a french passport?

@njcve_ Hey, The list of ambassador is here : hackerone.com/hackers/brand-…. Unfortunately, if there is no ambassador for your country, you won't be able to participate :(

Anyone recruiting for a British team? #ambassadorworldcup #hackerone #bugbounty

@Hogarth45_ Agreed, but I'm now hearing of people sitting on RXSS / SXSS / etc too. Admittedly I heard from a small percentage of hunters, but that doesn't seem like a net win for overall security

@mongobug I know its very common for people to sit on open-redirects for use with SSRFs at a later date. I would suspect there is a great number of borderline bugs that get sat on. But ultimately more bugs are found with h1 than if it didn't exist. So not perfect, but better than nothing

@Hogarth45_ If true, then I wonder how many vulns are going unreported by people who are not willing to get 2 accounts (which is against the rules iirc)

@mongobug To actually get traction you need 2 accounts on h1. One for high/crit and one for low/med.

@MrTuxracer @plmaltais @Hacker0x01 @Bugcrowd Unfortunately CVSS is hardly objective either, though. And it gets worse because half the bug bounty people and security teams do not fully understand the ratings for each field. Usually becomes a tug-of-war

@plmaltais @Hacker0x01 @Bugcrowd I prefer @Bugcrowd’s because I believe that an objective/neutral system reflects your overall achievement/impact better. However, their VRT is the opposite of being objective... so IMO we need their point system paired with CVSS 😏

I'm curious to see bug bounty hunters opinion on this one. @Hacker0x01 and @Bugcrowd are attributing points differently (explanation in thread). Which one do you prefer?

@maxrousseau Elon bad rocket man

Can someone explain to me why people are losing their minds over this? It’s literally LESS SECURE to use sms two-factor. Doing a big public service here. Everyone should be actively planning to migtate away from sms for security.

@DRUNKKZ3 Any plan to make TDM a permanent mode in 2042? I feel like you're going to remove it in season 4, that would drive a lot of people off

@MrTuxracer Top clown.. imagine dealing with this guy as a bug bounty triager or program owner...

Interesting to read what he thinks a SQL Injection is... 🤔 (I'm not really surprised) github.com/mvt-project/mv…

@cstross @elonmusk Much like this tweet :')

I’ve loved watching how the @elonmusk @Twitter thing has impacted #InfoSec — meaning — people who do nothing but tweet all day and are defined by their egos and twitter identity have been freaking the fuck out — people who actually do the work really don’t care. Thoughts?

Can't wait for all the crybabies to finally "go to Mastodon" so my feed can stop being all about Elon and Twitter. If you're leaving, close your account and stop tweeting