Hey :) If you want to know how you can get started in bug bounties, the first and most important step is learning how to use Google, because that'll be your main tool for your whole career.
fwiw I got $0 when I reported something similar to Google during my initial research in 2020 - and I totally get it. It's nearly impossible to control what devs will do on their own machines.
Dependency confusion - mismanaged by @Google security VRT
https://giraffesecurity.dev/posts/google-remote-code-execution/…
Had the exploiter been malicious this could have led to product compromise, back door, and enterprise access.
Not only that, "The Sunshine State Spoofers" have dominated the top of the leaderboards and were the team who won the most bounties accumulating our overall Live Hacking Event performance.
Never underestimate the power of successful collaborations, onto the next one!
Finished the #H13493 live hacking event in first place and nabbed the Best Collaboration award as well! Had a blast in Barcelona, and a crazy couple of weeks leading up to it. Thanks to everyone who made this event possible!
TIL car rental companies will straight up charge you differently for the exact same rental depending on where you physically are when you book.
Getting a better price is sometimes as easy as going to .co.uk instead of .com
Back in 2012, Ubisoft accidentally added everyone as CC on a marketing email.
Long story short, someone hit Reply All and 10 years later the email thread is still going strong and I think that's beautiful.
Many tech companies, including GitHub, use their geographically distributed workforce as a way to steal wages from workers. They call it "location-based pay grades" and other such nonsense. But it's wrong. So we've written something you can share:
Solid advice. Have a buffer of at least 6 months - 1 year worth of savings before you go full-time. You shouldn't need to find bugs non-stop to make it work.
My advice to those who think about doing #BugBounty full-time:
Don't go full-time if you only live from month to month! Build up some savings before going that route. Personally, I'm able to survive 3 years without having to find a single bug using my savings.
(1/2) twitter.com/ITSecurityguar…
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2021!
https://portswigger.net/research/top-10-web-hacking-techniques-of-2021…
Someone called me and we spoke like normal but... the call came from a completely different number than theirs?
Confirmed not a prank. We were both in a low-signal area if that's relevant.
The number is busy when I call it but rings when the other person calls.
WTF is going on
tfw you reluctantly submit a report after like a week knowing full well that you were this 🤏 close to escalating the impact.
oh well... on to the next one!
My thinking was - with everyone guessing random numbers, the last layer was statistically likely to be a really small number like 1 or 2.
Don't have a formal proof for this but it feels right.