Wednesday, December 10, 2014

Bug Bounties And What Hackers Get Paid

I discovered recently. It's a platform companies can sign up for that gives them an avenue for researchers to disclose security vulnerabilities about their site along the lines of "responsible disclosure".

I was curious as to what vulnerabilities were published, and their amounts. Well, when a vulnerability is made public, hackerone puts it on their site with the amount on the same page. Having done network pentests for the last 4 years (professionally) it's hard not to lolwtfbbq at how easy/simple it is to identify some of the bugs listed, and a lot of them are paying out hundreds of dollars for what amounts to about 30 seconds of work.....i'm in the wrong business...

In any case, i've parsed through their public listing and compiled a list of links for people to read. At the time of this blog post, 240 vulnerabilities were publicly released: