Dear Bug Bounty programs, You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations. Regards, A tired bug hunter - ThreadSky

About ThreadSky

ajxchapman.bsky.social • 90 days ago

Dear Bug Bounty programs,

You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations.

Regards,
A tired bug hunter

Comments

tommyboyhacking.bsky.social•90 days ago

"Ah well yeah thankfully we have all these big fancy secret back end controls that prevent this from being impactful so this RCE is a low"

alp1n3.dev•90 days ago

Needing anything past a quick CVSS and maybe a comment on likelihood def feels like pushing it for bug bounty.

There’s so many unknowns that it makes it impossible to be fully accurate 🫠

“Well we have this random backend microservice that logs, so it mitigates it, meaning it’s now a low” 😅

ajxchapman.bsky.social•90 days ago

I've definitely seen program abuse CVSS to lower the impact where they see fit. I'm fine if a program wants to pay based on business impact, just don't abuse CVSS to justify it 😂

jstnkndy.bsky.social•90 days ago

there is a program that darkieduck and I work on quite a bit that have just been blatantly wrong in their "we reduced the severity because this is a staging env and doesn't have access to prod", yet we've confirmed accessed prod data by hitting known UNC paths to grab prod web.config files.

ajxchapman.bsky.social•90 days ago

That's a hard blacklist for me. I find it really difficult when programs only consider the absolute _minimum_ impact they can think of, citing extra controls. How can they know for sure that these "extra controls" are any good without testing them??

/rant

renniepak.nl•90 days ago

Oh. I read "retired". lol

ajxchapman.bsky.social•90 days ago

Haha, I don't think I'll get be getting a "real" job any time soon, so I have to still do something to pass the time 😜

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply