Blog

Latest Posts

• How I Became The Most Valuable Hacker

  This January, I found myself under Miami’s sun, hacking for Capital One at HackerOne’s H1-305 live hacking event (LHE). Imagine this: 50-100 of the world’s best hackers flown to a fun destination on an all-expenses-paid trip to hunt for bugs, earn bounties, and compete for prizes. What’s not to love? Besides the thrill of free travel, and open bar, and hacking by the pool, what makes these LHE’s particular attractive is:

• Embedded Hackers

  The History

• How I Achieved ATO on a HackerOne Vendor

  Every year as a HackerOne Clear verified researcher, I’m required to register on a couple of vendors that HackerOne uses. As I was going through the process of providing my social security number, 7 years of address history, my mother’s maiden name, and last bowel movement, I saw a little familiar popup in the bottom left corner:

• Map your hacking sessions- then execute

  Bug Bounty Hunting is an ever-changing ecosystem - what works in one season may not work in another. As such, and as with any discipline, being able to evaluate your self and adjust your course when thing stops working is imperative.

• Sliding Bounties and Why You Should Use Them

  If you’ve been doing bug bounty for any time, either as a hunter or a program, you’ve doubtless heard complaints about CVSS scoring. The typical scenario will look something like this - a hacker will file a report (likely with a laughably inflated CVSS score), set the severity that they think the report is, get their expectations set on receiving $X, the triage service will validate the report, and assign a score using a CVSS Caculator and mark the report as Triaged (barring any back and forth around reproduction steps).