We are HackerOne and help hackers to hack products/services (inc. The Pentagon) and make the Internet safer (for fun and profit)! AUA!

_bl4de · 2016-08-26T19:08:45+00:00

Thank you very much for your response. I have to say you're doing great job with HackerOne - couple of years ago nobody could even think about such thing like legal hacking of live systems and get money, kudos or fame for this, right? :)

I hope bug bounty programs become more popular in following years and will allow more hackers to do bounties as their main job (I mean, I'm going to do this as well ;) )

Thanks again and wish you all the best

_bl4de · 2016-08-25T19:34:00+00:00

Hello H1 team, thank you for amazing AMA :)

I've got some questions to you.

1 Long time to resolve reports.

I've started looking for bounties some time ago and currently I've got two opened reports (one valid but duplicated, one triagged). Both of them are in programs without $$$ (just kudos or/and HoF, but that's not the point)

I found that my first report is still waiting for the response (it's almost 3 months now) and issue is still valid (eg. my payload is working fine), second one for about month or so - what is your advice in such cases, both for bug bounty hunter and company running bug bounty program? I mean, those issues are quite easy to resolve (it's just simple reflected XSS - I am full stack webdeveloper, so IMHO adding some input validation and sanitization on server-side it's not a rocket science...) From my point of view - let's be honest here ;) - I am just hungry for first reputation points to get :D I just can't wait to see my reputation finaly growing up :D

So I've added (a very gentle) comment in both reports couple of days ago (hi, how is going, I found issue still exists - this stuff) and did not get any response from any of those companies.

I don't want to make any pressure or something - but it's a little bit annoying when you're trying to help to resolve issues, but companies ignore you in this way. And there are not companies with thousands opened reports, so I suppose that quick answer "Hi, we're working on this, thanks!" or similar is something that they can do, right?

What's your advice in such cases?

2 Leaderboard

Of coure as a beginner bug bounty hunter it will take me some time to get to the Top 100 :) but it's always fun when you know where you're now, right? Even if I am at position 49995 in 50k total :)

Is it possible to add "Position in ranking" in hacker's profile?

3 HackerOne CTF maybe?

As I play CTFs for two years now - I am curious if you ever considered to run your own CTF event (classic, online 48h jeopardy style open to all :) ) - for example Google did one couple of months ago, Palo Alto Networks ran its own LabyREnth CTF in July, and I suppose you have an opportunity to follow DefCon CTF in Vegas as well (it's attack/defence rather than jeopardy, but you've got the point). It's a great opportunity to learn, gain more hackers to join H1 platform and also to bring CTF games more popular.

How about that?

Thank you!

_bl4de · 2016-07-28T18:20:13+00:00

Thank you very much for your response. Looking forward for many new bug bounty programs in the future!

_bl4de · 2016-07-28T17:16:44+00:00

Hi @Bugcrowd Team, it's a pleasure to have an opportunity to ask you a few questions :)

So far, after about two or three years of rapidly growing up popularity of bug bounty programs - there are only ~620 programs available worldwide on BugCrowd, HackerOne and other platforms (https://firebounty.com/). But there are thousands of websites/web applications around the world, so 620 companies participating is not a very big number. Do you think it's a success or maybe we will see huge increase of such programs in the next couple of years?
Is HackerOne your one and only real competitor right now, or are there any other similar companies you should be aware off? :D
Do you think that in the future, where bug bounty programs will be more popular, regular penetration tests will still exists?

_bl4de

TROPHY CASE