Some things that happened to me while doing Bug Bounty: 1. Downgrading the score of a vulnerability that was previously reported twice and rated as "Medium". 2. Reporting to a open source project, they see the bug, they remove all the files from their Github, bumped up the version, then, told me that I've found the vulnerability in an older version. 3. The program imported all the existing bugs into the platform, afterwards, marked them as duplicate once they got reported. And the list goes on, the lesson is simple, never hack for free. All the best for you and your family, Jason.
I reported a vulnerability once that was currently working on the platform that allowed you to bypass mfa, and was told its a duplicate vulnerability from a internal bulletin a year before I submitted it to them.
Seeing you speak on this, makes the rest of us feel like we can too. Thank you for having the courage to say what we've all been thinking. We love you, jHaddix ❤
I love this talk and have the highest respekt of Jason. He is one of the most brilliant minds in the Bug Bounty scene and such a wonderful human being. He doesn't have to fight for this community, he does it at will. I admire your support for the "nonames" and new hunters in the field. May god bless you and your wife. 🙏🏻
Mad respect to Haddix for this truth telling. No doubt he's been conflicted about this stuff for a long time and is finally in a position where he feels like he can talk about it. Something else that needs to be addressed is that when researchers are continuously facing these BS practices, many of them might just opt to sell their P-1 / 0 days to a buyer that pays way more and with much less friction than the programs.
It should be well known by now, never to short, be stingy with, get over on or underestimate your hackers... When very talented researchers get screwed over they begin to thinking and being a legitimate researcher isn't worth it, and go from reporting bugs to selling exploits on the black market.
If the suits that run these ticketing systems think the people that generate the revenue used to pay their salaries should simp for them and on top of that, be thankful for the privilege to work for them, I think marketplaces for bugs on the non clearnet might just grow in popularity. Greedy people seem to manage to ruin everything
yes I think this will be the next step for the bug bounty scene and corporates will be forced to react, either by bidding on the exploits themselves on the black market, or creating a better marketplace solution that favors us hackers
Some hackers create informative content, and that's a good thing. However, I believe that sometimes you need to stand up for your community. It's great content, and I respect you, bro.
Thanks for speaking up! I've discovered a high severity vulnerability in a well-known social media platform a couple months ago. The triaging process was an absolutely ridiculous shit show. It took 6 months, included two interventions from the platform's support team and right before the payout, they decreased the severity rating reducing the payout by 90%. 0/5 Never again.
Wow that's nuts about the traffic being monitored for the top 250. It would be petty cash to them AND create competition by paying those 250, but they discourage them instead.
I'd drop everything to be at my wife's side, instead of worrying about using mild swear words at a talk that certainly won't change the world. but that's just me. all the best to you and yours, mr haddix
@@2rx_bni totally!!! The worst is his "my kids are watching my others kids" WTF!!! Kids must be sas for their mom and this guy isnt even there for them... Bad Parents really!!!
Setting aside whatever their family dynamics might be, which might make it totally ok in his particular case…the caveat given at the beginning tacitly encourages the behavior of “I’d rather push myself past the normal point and do a worse job, than take time away for me and my family”, which I believe is negative for most people.
🎉 great talk , though it maybe underrvalued your illustrated valuable insights into shady platforms and shit loads that occur to bug hunters, misrepresentation etc, nice talk
Seems like all that really needs to happen is companies and especially Platforms being taught a lesson. Bounty platforms should also be anonymous, there should be no room for celebrity/favoritism or targeted monitoring. If we're in this to make things more secure and get paid, then bug bounty programs and platforms should really try to incentivize white hat behavior. If I'm not going to get paid either way, the world will become more secure by forcing companies to listen and practice security if their vulns given away in alternative markets. If they're going to make getting compensated fairly difficult, you can just name your price elsewhere...
There are also organizations that wait for you to publicly disclose vulnerabilities and intentionally ignore your reports so you do so, platforms that suggest bugs are not shared with customers but are. The struggle they are face with are the legal implications of not protecting their systems. Lately the pros of ethical reporting are outweighed by the cons. I hope your talk inspires change.
Why not make A but bounty "union" that instead acts as an intermediary between hunters and the platforms taking the contracts for bug bounties. If the platforms wont take your bugs because you didn't sign A contract, then you now have A barrier for negotiating. The bugs can be sent to either regulators(Does threatening to report A crime count as extortion?) or the company themselves with the advantage that A group representative has A larger megaphone to(responsibly) disclose publicly that this company would not pay you under this more equitable arrangement. Best I got. But I think it's A better plan than hoping they simply choose to be less exploitative.(On the internet?)
you have my respects man, but I was expecting mentioning about wanna be hackers that throws shitty reports and spams both platform triagers and programs' security teams, hoping to full them to get a 100$ bounty
They most probalbly think "thats their passion. They do it anyway, why should we pay for this?!" That is on so many sides just wrong and abusive. But i think its also a hint about who these people are. And think about if the hacking comunity should not branch out and make their own Bug bounty site. They have all the expertise. Dear .... If you read this idea and start doing it. Reach out to me and take me on board for sparking that process :) In a few years i will do it, bringing the right people together :)
How can the contract bind you re: the submission if you received no money(consideration) for the submission? It is not illegal to sell unregulated information, and it’s definitely not illegal to share unregulated information for free, the platforms and ultimately the customers are buying your right to do those things, and if they choose not to buy it your rights should be unchanged.
Have seen BC employees stealing research (0day) then claiming the bounty on other targets leveraging the same tech stack. Repulsive behavior and blacklisted. Also seen employed hackers within firms share a 0day within the firm with strict instructions do duh, DO NOT LEAK to then be abused/leaked by said "future" employee who even went as far as asking on twitter for some bypasses for this very specific vector. BB is a scam.
Very interesting, and definitely food for thought. Doesn't sound very realistic though. "Shitty customers" feels like "anyone who doesn't do what I'd advise".
Do you work for one of these companies? Your comment really has this "I'm a middle manager whose only task is to throw a wrench in the works and feel self important" energy. Or perhaps you're just someone whose personally trends towards the bootlicking side?
Some things that happened to me while doing Bug Bounty:
1. Downgrading the score of a vulnerability that was previously reported twice and rated as "Medium".
2. Reporting to a open source project, they see the bug, they remove all the files from their Github, bumped up the version, then, told me that I've found the vulnerability in an older version.
3. The program imported all the existing bugs into the platform, afterwards, marked them as duplicate once they got reported.
And the list goes on, the lesson is simple, never hack for free.
All the best for you and your family, Jason.
I got repeatedly fisted doing bb. Wrote a blog about it if you're interested?
This is f*cking true
I reported a vulnerability once that was currently working on the platform that allowed you to bypass mfa, and was told its a duplicate vulnerability from a internal bulletin a year before I submitted it to them.
@@trevermcbride4041 Name and shame!
@@trevermcbride4041 YIKES!! That's embarrassing for them to admit. 😂
This kinda guy is worshipped by everyone in their respective field. Someone who speaks up against the odd. Mad respect to boss haddix the legend.
Seeing you speak on this, makes the rest of us feel like we can too. Thank you for having the courage to say what we've all been thinking. We love you, jHaddix ❤
I love this talk and have the highest respekt of Jason. He is one of the most brilliant minds in the Bug Bounty scene and such a wonderful human being. He doesn't have to fight for this community, he does it at will. I admire your support for the "nonames" and new hunters in the field.
May god bless you and your wife. 🙏🏻
Mad respect to Haddix for this truth telling. No doubt he's been conflicted about this stuff for a long time and is finally in a position where he feels like he can talk about it.
Something else that needs to be addressed is that when researchers are continuously facing these BS practices, many of them might just opt to sell their P-1 / 0 days to a buyer that pays way more and with much less friction than the programs.
I'm afraid some might even turn into the other side (black hat)
@@huzaifamuhammad8044 IMO, that would be the appropriate response to corporate consolidation and research theft.
My sentiment exactly, "Oh you want to treat me like a fool?" *proceeds to sell 0day to Russia instead*...
@@huzaifamuhammad8044 This happens frequently, I know this for a fact
Wishing the best for you and your family Jason ❤
It should be well known by now, never to short, be stingy with, get over on or underestimate your hackers... When very talented researchers get screwed over they begin to thinking and being a legitimate researcher isn't worth it, and go from reporting bugs to selling exploits on the black market.
If the suits that run these ticketing systems think the people that generate the revenue used to pay their salaries should simp for them and on top of that, be thankful for the privilege to work for them, I think marketplaces for bugs on the non clearnet might just grow in popularity.
Greedy people seem to manage to ruin everything
yes I think this will be the next step for the bug bounty scene and corporates will be forced to react, either by bidding on the exploits themselves on the black market, or creating a better marketplace solution that favors us hackers
Awesome talk by jason haddix thanks, And Prayers to your family jason 🙏
Some hackers create informative content, and that's a good thing. However, I believe that sometimes you need to stand up for your community. It's great content, and I respect you, bro.
Almost all of the issues here seem like they come from the same reason we have unions for regular employees… Hackers union anyone?
We Have a Hackers Union....it's called Code!
@ Code doesn’t stop a race to the bottom for wages. That’s exactly my point…
Thanks for speaking up! I've discovered a high severity vulnerability in a well-known social media platform a couple months ago. The triaging process was an absolutely ridiculous shit show. It took 6 months, included two interventions from the platform's support team and right before the payout, they decreased the severity rating reducing the payout by 90%.
0/5 Never again.
I'm assuming there's some forced arbitration thing so they can tell you to GFY whenever they pull their scam?
Wow that's nuts about the traffic being monitored for the top 250.
It would be petty cash to them AND create competition by paying those 250, but they discourage them instead.
Why do you think in the programs they request or require you to put a custom header with your username of the bug bounty program?
@@AlexbongoKurban so you just commented without watching?
They're stealing from the top 250
@@matt5721 cry harder
Thanks for helping us up and comers! Prayers for your family.
This needs to be put out there even more
I'd drop everything to be at my wife's side, instead of worrying about using mild swear words at a talk that certainly won't change the world. but that's just me. all the best to you and yours, mr haddix
Putting personal shit to one side to work is the epitome of a professional. Excellent talk. I hope your wife recovers.
No it's deranged they should have given him an out. Don't do this. It's unhinged.
@@2rx_bniYeah, fuck that. A talk over my wife, there's no way in hell I'd ever do that.
@@2rx_bni totally!!! The worst is his "my kids are watching my others kids" WTF!!! Kids must be sas for their mom and this guy isnt even there for them... Bad Parents really!!!
@@trustedsecurity6039seems like hes working pretty hard to provide for his family.
Setting aside whatever their family dynamics might be, which might make it totally ok in his particular case…the caveat given at the beginning tacitly encourages the behavior of “I’d rather push myself past the normal point and do a worse job, than take time away for me and my family”, which I believe is negative for most people.
❤
Thank you for doing this, wishing your wife a speedy recovery.
As usual Jason's talks are always very interesting.
I have learnt something but also discouraged, whether to start bug bounty or something else........please advice..
wishing your wife a speedy recovery Thanks JHaddix
Wow, really eye opening! Thank you very much
very hard to navigate appreciate you advocating for the little guy always
Glorified ticketing system
Bug Bounty is the same as the BetterBusinessBurreau. Started by bad businesses to limit the number of lawsuits they receive...
Pissing off hackers is a very bold move
🎉 great talk , though it maybe underrvalued your illustrated valuable insights into shady platforms and shit loads that occur to bug hunters, misrepresentation etc, nice talk
Seems like all that really needs to happen is companies and especially Platforms being taught a lesson. Bounty platforms should also be anonymous, there should be no room for celebrity/favoritism or targeted monitoring. If we're in this to make things more secure and get paid, then bug bounty programs and platforms should really try to incentivize white hat behavior. If I'm not going to get paid either way, the world will become more secure by forcing companies to listen and practice security if their vulns given away in alternative markets. If they're going to make getting compensated fairly difficult, you can just name your price elsewhere...
They want to play a game, we like playing games 😊
There are also organizations that wait for you to publicly disclose vulnerabilities and intentionally ignore your reports so you do so, platforms that suggest bugs are not shared with customers but are. The struggle they are face with are the legal implications of not protecting their systems. Lately the pros of ethical reporting are outweighed by the cons. I hope your talk inspires change.
A wise man says wise things
Another excellent talk!!
Welcome to the WESTERN WORLD of capatilisme. You deserve more credit for your work.
Amazing talk! thanks for sharing Jason!
Why not make A but bounty "union" that instead acts as an intermediary between hunters and the platforms taking the contracts for bug bounties.
If the platforms wont take your bugs because you didn't sign A contract, then you now have A barrier for negotiating. The bugs can be sent to either regulators(Does threatening to report A crime count as extortion?) or the company themselves with the advantage that A group representative has A larger megaphone to(responsibly) disclose publicly that this company would not pay you under this more equitable arrangement.
Best I got.
But I think it's A better plan than hoping they simply choose to be less exploitative.(On the internet?)
I thought bug crowd was when more than 4 gay people formed a line?
This is why some would rather sell their discoveries on the dark web.
you have my respects man, but I was expecting mentioning about wanna be hackers that throws shitty reports and spams both platform triagers and programs' security teams, hoping to full them to get a 100$ bounty
For real… or CVEs rated at high 9s that claim “code execution is possible” but are at most only memory corruption. POC or GTFO!
They most probalbly think "thats their passion. They do it anyway, why should we pay for this?!"
That is on so many sides just wrong and abusive. But i think its also a hint about who these people are. And think about if the hacking comunity should not branch out and make their own Bug bounty site. They have all the expertise.
Dear ....
If you read this idea and start doing it. Reach out to me and take me on board for sparking that process :)
In a few years i will do it, bringing the right people together :)
This is why I’m extremely paranoid about how I submit bugs and tend to sell them instead. My time and skills are valuable.
amazing presentation. thank you!
It would appear to me that the bug bounty program is corrupted and should not be something to participate in.
This is sad, i thnk the black market is better
I brought this topic up to Dr. Hinton respectfully..
How can the contract bind you re: the submission if you received no money(consideration) for the submission? It is not illegal to sell unregulated information, and it’s definitely not illegal to share unregulated information for free, the platforms and ultimately the customers are buying your right to do those things, and if they choose not to buy it your rights should be unchanged.
I am starting hunting nowadays but I am a little afraid of this question
Will bug hunt decline or end with the rise of the AI?
This is kinda messed up
Great talk
Have seen BC employees stealing research (0day) then claiming the bounty on other targets leveraging the same tech stack. Repulsive behavior and blacklisted. Also seen employed hackers within firms share a 0day within the firm with strict instructions do duh, DO NOT LEAK to then be abused/leaked by said "future" employee who even went as far as asking on twitter for some bypasses for this very specific vector. BB is a scam.
Great talk!
wow respect to jasson haddix
lets implment some decentralized id or attachment which can trace out for found instances and properly pay for percentage to hunter
Where can I sign up? Can’t be worst than AT&T
Very interesting, and definitely food for thought. Doesn't sound very realistic though. "Shitty customers" feels like "anyone who doesn't do what I'd advise".
Do you work for one of these companies? Your comment really has this "I'm a middle manager whose only task is to throw a wrench in the works and feel self important" energy.
Or perhaps you're just someone whose personally trends towards the bootlicking side?
Love you haddix
3 tines bugcrowd has said thst my report was a dupe and a year later the vuln is still there. I also think a triager took my vulns and brushed me off
Hackers being replaced by AI before GTA 6
3rd party shit happened to me,, with full access to cloud read and write,, with all the employees data.
STOP HELPING THEM!! LET THEM EAT THE BUGS!
Also- the court systems - online.
my dude
(Better now?) American Magnet ;))
Rep++
YOLO
:p
/notes
bug bounty is scam :)
Freakin Jason HaddiX! best wishes to your FAM bro @jasonhaddix
Thanks @jhaddixP 100% Truth.