VDPs & Accidental Program VS Hacker Debate Part 2 (Ep. 67)
HTML-код
- Опубликовано: 5 авг 2024
- Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deep-dive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.
Follow us on Twitter at: / ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to / realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
/ 0xteknogeek
/ rhynorater
Project Discovery Conference: nux.gg/hss24
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
Nagli's Braindump on VDPs
/ 1780174392003031515
Timestamps:
(00:00:00) Introduction
(00:05:37) VDP programs
(00:34:10) Leaderboards
(00:43:52) Hacker vs. Program debate Part 2
(01:07:24) Walling Off Endpoints 
Наука
researchers should not be taken for granted.
You two are killing it! Another amazing episode. Very important to put out all the info and perspectives on VDP vs. BBP, especially for new hunters.
Another great episode guys, I love these conversations from Hacker v.s Program perspectives. Personally I think VDP have their place and all companies need to have one is some sense just so anyone can disclose an issue responsibly. VDP is very different from BBP and they should be treated differently but we need companies to establish a basic VDP so anyone can follow the correct and responsible steps to report a security issue.
Great Episode guys!
hackerone should bring a new point only for VDPs, not shown on leaderboard with BBP.
Identified risk is calculated and budgeted..paying the research is pennies vs incidents and litigation costs. Unidentified risk means there are missing security/governance controls that a corp board needs to address.. and again, paying researchers is way cheaper than the alternatives that could affect stock value, reputation etc
And this is why I don't disclose my bugs on VDPs. They are my pension fund.
Usually I start with burp or zap or caido and then eventually just write a bash or python script
having a VDP and private BBP is just crazy, how this is even allowed!!
also, I think VDP should have rules based on the company income, type .., like I am ok with hacking non-profit organizations and small businesses for free but not a company that worth billions and refuse to spend few thousand on their security.
Nothing about the #hackerSuck saga?
Redbull at least give something. Slightly different to pure VDP that doesnt give anything
Nagli reported about 200 bugs to DoD lol
they should understand... what is bugs🐛 and bounty 💰 i dont understand VDP🙈
i am from india ...i hate VDP still i reported sme mediums for Toyota...they shoud pay me atlest sme bonus.....all i got is Points :(