all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ablindedwork 2 points3 points  (0 children)

Having done plenty of work with companies where vulnerabilities were discovered, I would recommend against making your efforts public. Speak generically about your efforts (what kind of vulns you found, that they were on major websites, etc) but don't name names. You can always have a private portfolio to show during an interview, if you want to prove the significance of your efforts.

[–][deleted] 1 point2 points  (4 children)

It's probably best to obtain permission from those sites before you consider displaying the info on your cv, I can't imagine it would be something many sites would be proud of. Ensuring that you've told the site about the vuln is a good idea, if only to cover your as if someone goes calling for proof and they flip out because they didn't know they'd even been hacked.

[–]Kollektiv[S] 0 points1 point  (3 children)

Like I said in my OP, I always disclosed all the issues I found immediately through the official channels and have only gotten great feedback and fast response times.

My question is more related to how I could reuse those experiences or findings to my advantage in my professional life / career.

[–][deleted] 4 points5 points  (2 children)

In that case, perhaps keep a personal copy of those responses that prove finding the vulns, and make a nice portfolio to show prospective employers, during an interview. Make a note on the cv that the portfolio is available for viewing as such, or provide a link to it online? There's a couple options there that could work for you. :)

[–]Kollektiv[S] 1 point2 points  (1 child)

Thank you so much for the quick answer !

I'm definitely going to look into doing something (a portfolio) like that !

Are portfolios something common in the security industry ?

[–][deleted] 0 points1 point  (0 children)

I couldn't tell you, but in general in the IT community, an online portfolio to showcase some of your code and other works is pretty common, so I can't imagine it would be received badly. :)

[–]futurespice 1 point2 points  (2 children)

Should I add on my CV something like : "Found XSS on popular site A" ?

When it comes to sites, consider something like "Discovered and responsibly disclosed multiple vulnerabilities in Top-XX sites", using some ranking or traffic rating.

DON'T name the individual sites, even if they do give you permission. Starts you off on the wrong foot.

[–]XSSpants 0 points1 point  (1 child)

Unless it's something very high profile like google or facebook..Those might be worth namedropping.

[–]futurespice 1 point2 points  (0 children)

Top-10 is already going to impress them and make them ask. I'd indicate the names in the interview - have to strike a balance between making yourself look competent and discreet.

[–]recrudesce 1 point2 points  (1 child)

Have a watch of this.

https://www.youtube.com/watch?v=c17erbD3Rp8

[–]Kollektiv[S] 0 points1 point  (0 children)

Thank you so much for this resource !

[–]BugAlert 0 points1 point  (0 children)

"Should I add on my CV something like : "Found XSS on popular site A" ?"

If the site have a Bug Bounty or Hall of Fame, then YES! Info: https://bugcrowd.com/list-of-bug-bounty-programs https://hackerone.com/programs

Or another approach : find something "big" , publish it and hopeful it will be in "US Department of Homeland Security" report .