I'd add, if you're gonna write an inflammatory blog post, at least be honest about being a jerk to the ppl reading your reports. If your "critical" finding is using "xss" for phishing, maybe take an extra minute to reevaluate the insinuation others lack expertise
How to NOT win bug bounties: 1. Treat the people triaging reports like shit: https://hackerone.com/reports/293359#activity-2203160 … https://hackerone.com/reports/293358#activity-2214781 … 2. Angrily write a blog post shaming the company because you couldn't find any valid, non duplicate issues: https://news.ycombinator.com/item?id=16000550 …
-
-
-
His blog has so many facts that are wrong and is misguiding everyone to think that he had dropped some 0day to Uber.
. - 1 more reply
New conversation -
-
-
Classic HN dogpiling on an entity / company they hate for a bad reason. The poster's attitude is gross, but HN gives him a podium because the target is Uber. The terrible reports would be torn apart were it not for their target.
-
The HN comments are quite reasonable IMHO.
End of conversation
New conversation -
-
-
I wonder if he knows that a UUIDv4 typically has 122 bits of entropy yielding 5,316,911,983,139,663,491,615,228,241,121,378,304 possible X-Uber-Tokens.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
You're joking, right? How is a researcher supposed to know they've found a duplicate? How do we know Uber is telling the truth?
-
This is why I don't participate in bug bounties. Even if you do everything right and find multiple vulns, you can walk away with nothing.
-
I get that the guy is a jerk, but how is that justification for not paying for the results delivered?
-
Most programs don't pay for duplicates, that's one of the risks that bug hunters have to absorb to participate (the other being not finding anything). Just as the stock market, this is not for everyone!
-
Most programs working a certain way doesn't make it good. I'd love to see a HackerOne alternative that handles verification themselves.
-
Paying for duplicates would be wonderful motivation for vendors to fix issues quickly instead of leaving users vulnerable like Uber does.
-
What's the motivation for the *vendor* to pay on duplicates tho. Unless their bug bounties are avoided for this policy (and they're not) then there's no impetus for them to do so...and so they don't.
-
If someone comes up with a fair and abuse-resistant way to pay for duplicates, I could probably get Google to pay for duplicates. Our motivation would just be to make bug hunters happy.
- 4 more replies
New conversation -
-
-
Missing 2FA and rate-limiting == high risk? No certificate pinning == critical risk? This researcher needs to learn risk rating.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Wow a personal insult on someone's educational background, pretty classy. Nothing says "I'm better than this" than stalking someone on LinkedIn.
- 1 more reply
New conversation -
-
-
He just wanted to be the second *Taxi Driver*
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.