Insights from Europe’s #1 ethical hacker community
As a community-driven platform, we build upon the insights and feedback from our valuable hackers. Over the past few months, we’ve asked our researcher community various questions concerning bug bounties, DevSecOps and infosecurity in general.
Here are some key takeaways:
- Based on our research, a large scope seems to be the most important thing in a bug bounty program according to the community.
- Researchers think that the best way to prevent XSS is to sanitize data both upon storing and rendering.
- According to our community OSCP is the best certificate you can get as a security specialist. A couple of researchers also pointed out that @offsectraining has a great course and certificate for pentesting.
- The majority of our community prefers to be called a security researcher instead of a hacker.
- A metric based impact assessment system is more popular as opposed to other options such as a type based system.The standard type based assessment, which is wildly used in pen testing, didn’t get many votes. This system categorizes vulnerabilities into tiers. Each tier represents the impact and subsequently the payment amount. A metric based impact assessment system, such as CVSS, is the preferred way according to our researchers. This system is used by the majority of bug bounty platforms. Researchers pointed out that metric based systems are good, but the context and business impact should be taken in consideration. If you want to learn more about the impact assessment used by Intigriti, click here!
- Most of our community like the current payout system where only the first report is awarded a bounty. However, many people argue for splitting the bounty when both submitted in a short period of time.We asked a question about our current payment system and it started a debate on our Twitter. Currently, we only pay the first person who sends in a report and about half of our community think this is the best option. The other half is divided between two options. Full payment for the best report and the more popular option, splitting the bounty between the involving parties. They argue that both researchers worked for it, so they should both get a share in the reward. This would also benefit the clients as they would receive multiple reports viewed from a different angle. People against the idea of splitting bounties think that this system will be abused as there is nothing stopping researchers from creating multiple accounts and reporting the same bug.
What is your opinion? Feel free to contribute to the discussion.
What is the #1 feature you look for in a bug bounty program?
What is your go-to XSS proof of concept?
What’s your favorite tool for file and directory discovery?
How much requests do you need to prove the lack of bruteforce protection?
What is the best certificate you can get as a cybersecurity professional?
What is the best way to prevent XSS?
Do you prefer Whitebox or Blackbox testing?
How do you pronounce SQL injection?
Do you consider opening a link as ‘requiring user interaction’?
Should a WAF be disabled for security testing?
How do you pronounce ‘CSRF’?
How much taxes do you pay on bug bounties?
What title do you prefer?
What is the most secure mobile operating system in your opinion?
What impact assessment system do you prefer for bug bounties?
Would you describe a (D)DoS attack as “hacking”?
If a bug gets discovered within 24 hours by multiple researchers, who should get the bug bounty?