As a community-driven platform, we build upon the insights and feedback from our valuable hackers. Over the past few months, we’ve asked our researcher community various questions concerning bug bounties, DevSecOps and infosecurity in general.
Here are some key takeaways:
Based on our research, a large scope seems to be the most important thing in a bug bounty program according to the community.
Researchers think that the best way to prevent XSS is to sanitize data both upon storing and rendering.
According to our community OSCP is the best certificate you can get as a security specialist. A couple of researchers also pointed out that @offsectraining has a great course and certificate for pentesting.
The majority of our community prefers to be called a security researcher instead of a hacker.
A metric based impact assessment system is more popular as opposed to other options such as a type based system.The standard type based assessment, which is wildly used in pen testing, didn’t get many votes. This system categorizes vulnerabilities into tiers. Each tier represents the impact and subsequently the payment amount. A metric based impact assessment system, such as CVSS, is the preferred way according to our researchers. This system is used by the majority of bug bounty platforms. Researchers pointed out that metric based systems are good, but the context and business impact should be taken in consideration.
Most of our community like the current payout system where only the first report is awarded a bounty. However, many people argue for splitting the bounty when both submitted in a short period of time.We asked a question about our current payment system and it started a debate on our Twitter. Currently, we only pay the first person who sends in a report and about half of our community think this is the best option. The other half is divided between two options. Full payment for the best report and the more popular option, splitting the bounty between the involving parties. They argue that both researchers worked for it, so they should both get a share in the reward. This would also benefit the clients as they would receive multiple reports viewed from a different angle. People against the idea of splitting bounties think that this system will be abused as there is nothing stopping researchers from creating multiple accounts and reporting the same bug.
What is your opinion? Feel free to contribute to the discussion.
Hey hackers, what is the #1 feature you look for in a bug bounty program?
— Intigriti (@intigriti) November 27, 2018
What is your go-to XSS proof of concept? Choose wisely! #HackWithIntigriti #BugBounty
— Intigriti (@intigriti) December 4, 2018
Hey hackers, what's your favorite tool for file and directory discovery?
— Intigriti (@intigriti) December 11, 2018
Hey hackers, how much requests do you think you need to prove the lack of bruteforce protection?
— Intigriti (@intigriti) July 11, 2019
What is the best certificate you can get as a cybersecurity professional? If your choice is not in this list, reply to this tweet!
— Intigriti (@intigriti) August 22, 2019
What is the best way to prevent XSS?
— Intigriti (@intigriti) October 10, 2019
If you had to choose – what would you prefer?
⚪ White box testing only: you get the source code, but can't run the app
⚫ Black box testing only: you don't get the source code, but you can play with the app
— Intigriti (@intigriti) October 28, 2019
How do you pronounce SQL injection? 🗣️
— Intigriti (@intigriti) November 4, 2019
Do you consider opening a link or visiting a website as 'requiring user interaction'?
— Intigriti (@intigriti) November 14, 2019
Should a WAF be disabled for security testing? 🚫🤔
— Intigriti (@intigriti) November 15, 2019
How do you pronounce 'CSRF'? 🗣️
— Intigriti (@intigriti) November 27, 2019
Tax season is coming up! How much taxes do you pay on bug bounties? 💸
— Intigriti (@intigriti) December 3, 2019
What title do you prefer?
— Intigriti (@intigriti) December 18, 2019
Additional question: do you think iOS would be more secure if it was open sourced? Why?
— Intigriti (@intigriti) December 26, 2019
What impact assessment system do you prefer for bug bounties?
— Intigriti (@intigriti) January 13, 2020
Would you describe a (D)DoS attack as "hacking"?
— Intigriti (@intigriti) January 20, 2020
Hey hackers, if a bug gets discovered within 24 hours by multiple researchers — who should get the #BugBounty💰?
At @intigriti, we currently only pay out the first valid report, but we're always open for your feedback! 👂
— Intigriti (@intigriti) February 10, 2020
