is there a site/account dedicated to aggregating all the bug bounty submissions / #security “research” that’s of the class:

“just discovered this WILD #vulnerability!!! if u steal the username, password, 2FA code, and have local access to the machine, you can M o D i F y F i L e S 🤯🤯🤯”

@shortridge

That would be the inbox of every small scale, self run, vulnerability reporting program.

Ask me how I know.

#infosec

@shortridge

Tongue firmly in cheek. I know you already know the question and answer are rhetorical.

Glad I dont have to answer those any more.

@pseudonym you'd be surprised how often I miss that questions are rhetorical (hint: it's all the time).

but, indeed, I've heard the ratio of useful bug bounty submissions to bullshit is abysmal, demoralizing, flabbergasting. used to be, however, that ppl perceived the dogshit deluge as worth it for the one submission that was an "oh fuck, thank the gods we learned this way."

is that still true? my "jk unless" conspiracy theory is the foremost value prop of bug bounty programs today is as an incident laundering tool 👀

@shortridge yes, https://nvd.nist.gov/

It’s so many of them. So, so many of them.

Priv esc to root
Pre req: root

@shortridge for a time there was “Infosec Reactions” by Aloria.

https://www.tumblr.com/securityreactions

@osman @shortridge for a while, attrition.org was also calling out charlatans, right? Maybe all of them gave up because keeping up with the nonsense doesn’t scale fast enough?

@freddy @osman @shortridge I don't think that approach would work because begbounty ppl just register new accounts every hour, you can't tie them to a persona.

Due to the scale of the problem I think it's more useful to use statistics rather than individual examples, and BB platforms do keep track of accepted/rejected numbers (I'm not sure how much of that is public though).

@buherator @osman @shortridge and it’s not entirely in the interest of the BB platforms to share aggregate data of their clients…