Aug 2023
2h 10m
Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready!
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Prompt Injection Primer for Engineers
https://twitter.com/rez0__/status/1695078576104833291
Portswigger on XSS
https://twitter.com/PortSwiggerRes/status/1691812241375424983
Gunner Andrews talk
https://www.youtube.com/watch?v=aaDe1ADh5KM
Jhaddix live training Givaway
New Website
Fight music composed by Dayn Leonardson
Timestamps:
(00:00:00) Introduction
(00:02:00) Joel’s DEFCON Recap
(00:04:45) Prompt Injection Primer for Engineers by Rez0
(00:07:00) Portswigger Research and XSS
(00:08:36) Gunnar Andrews' talk on serverless architecture
(00:10:10) ‘Bug Hunter Methodology’ Course Giveaway
The Debate
(00:13:34) Zero-Day Policy and Payment for Vulnerabilities
(00:25:40) Disclosure
(00:33:52) Dupes (00:51:23) CVSS
(01:02:25) Budgets and Payouts
(01:15:00) Triage and Retesting
(01:34:55) Withholding Reports
(01:41:50) Root Cause Analysis
(01:52:25) Interacting with hacker reports from a security standpoint.
(01:58:50) Internal Activity on a Report
(02:01:15) Cost of running Bug Bounty Programs and LHE’s