Intigriti

Twitter Recap #2 – Polls by the Intigriti Community

By intigriti_inti

February 27, 2020

Insights from Europe’s #1 ethical hacker community

As a community-driven platform, we build upon the insights and feedback from our valuable hackers. Over the past few months, we’ve asked our researcher community various questions concerning bug bounties,  DevSecOps and infosecurity in general.
Here are some key takeaways:

  • Based on our research, a large scope seems to be the most important thing in a bug bounty program according to the community.

  • Researchers think that the best way to prevent XSS is to sanitize data both upon storing and rendering.

  • According to our community OSCP is the best certificate you can get as a security specialist. A couple of researchers also pointed out that @offsectraining has a great course and certificate for pentesting.

  • The majority of our community prefers to be called a security researcher instead of a hacker.

  • A metric based impact assessment system is more popular as opposed to other options such as a type based system.The standard type based assessment, which is wildly used in pen testing, didn’t get many votes. This system categorizes vulnerabilities into tiers. Each tier represents the impact and subsequently the payment amount. A metric based impact assessment system, such as CVSS, is the preferred way according to our researchers. This system is used by the majority of bug bounty platforms. Researchers pointed out that metric based systems are good, but the context and business impact should be taken in consideration. 

  • Most of our community like the current payout system where only the first report is awarded a bounty. However, many people argue for splitting the bounty when both submitted in a short period of time.We asked a question about our current payment system and it started a debate on our Twitter. Currently, we only pay the first person who sends in a report and about half of our community think this is the best option. The other half is divided between two options. Full payment for the best report and the more popular option, splitting the bounty between the involving parties. They argue that both researchers worked for it, so they should both get a share in the reward. This would also benefit the clients as they would receive multiple reports viewed from a different angle. People against the idea of splitting bounties think that this system will be abused as there is nothing stopping researchers from creating multiple accounts and reporting the same bug.
    What is your opinion? Feel free to contribute to the discussion.

Index

What is the #1 feature you look for in a bug bounty program?

Hey hackers, what is the #1 feature you look for in a bug bounty program?

— Intigriti (@intigriti) November 27, 2018

What is your go-to XSS proof of concept?

What is your go-to XSS proof of concept? Choose wisely! #HackWithIntigriti #BugBounty

— Intigriti (@intigriti) December 4, 2018

What’s your favorite tool for file and directory discovery?

Hey hackers, what's your favorite tool for file and directory discovery?

— Intigriti (@intigriti) December 11, 2018

How much requests do you need to prove the lack of bruteforce protection?

Hey hackers, how much requests do you think you need to prove the lack of bruteforce protection?

— Intigriti (@intigriti) July 11, 2019

What is the best certificate you can get as a cybersecurity professional?

What is the best certificate you can get as a cybersecurity professional? If your choice is not in this list, reply to this tweet!

— Intigriti (@intigriti) August 22, 2019

What is the best way to prevent XSS?

What is the best way to prevent XSS?

— Intigriti (@intigriti) October 10, 2019

Do you prefer Whitebox or Blackbox testing?

If you had to choose – what would you prefer?
⚪ White box testing only: you get the source code, but can't run the app
⚫ Black box testing only: you don't get the source code, but you can play with the app

— Intigriti (@intigriti) October 28, 2019

How do you pronounce SQL injection?

How do you pronounce SQL injection? 🗣️

— Intigriti (@intigriti) November 4, 2019

Do you consider opening a link as ‘requiring user interaction’?

Do you consider opening a link or visiting a website as 'requiring user interaction'?

— Intigriti (@intigriti) November 14, 2019

Should a WAF be disabled for security testing?

Should a WAF be disabled for security testing? 🚫🤔

— Intigriti (@intigriti) November 15, 2019

How do you pronounce ‘CSRF’?

How do you pronounce 'CSRF'? 🗣️

— Intigriti (@intigriti) November 27, 2019

How much taxes do you pay on bug bounties?

Tax season is coming up! How much taxes do you pay on bug bounties? 💸

— Intigriti (@intigriti) December 3, 2019

What title do you prefer?

What title do you prefer?

— Intigriti (@intigriti) December 18, 2019

What is the most secure mobile operating system in your opinion?

Additional question: do you think iOS would be more secure if it was open sourced? Why?

— Intigriti (@intigriti) December 26, 2019

What impact assessment system do you prefer for bug bounties?

What impact assessment system do you prefer for bug bounties?

— Intigriti (@intigriti) January 13, 2020

Would you describe a (D)DoS attack as “hacking”?

Would you describe a (D)DoS attack as "hacking"?

— Intigriti (@intigriti) January 20, 2020

If a bug gets discovered within 24 hours by multiple researchers, who should get the bug bounty?

Hey hackers, if a bug gets discovered within 24 hours by multiple researchers — who should get the #BugBounty💰?

At @intigriti, we currently only pay out the first valid report, but we're always open for your feedback! 👂

— Intigriti (@intigriti) February 10, 2020

You may also like