just a suggestion for noobs like me
Posted in BugBounty Discussion by @rl1k




rl1k

Researcher

Hi all,

There is a lot of content/tutorial about how to become a bug hunter, about methodlogy etc but i think it will be interesting to see it in "live" without explaining because finding bugs and explaining all sort of things can be counterproductive, i can make the editing or just a timestamp i dont know what is the best. And for researcher who want stream this, they can ask for guys like me who need to train and like to see if they make something wrong or if i miss something, we can help the bug hunter with some info gathering or whatever. I know that make hours and hours of videos but i can give my time and im sure im not the only one :) I dont know if you understand the idea but i think we can make a win-win "trade" and like a lot of good youtube channel do CTF live we can make a bug bounty live where all win.

All opinion are welcome and if zseano is interested to create this section here or i must try it somewhere else because that suxxx :p

Thanks for your time


Posted on 2018-11-05



vet0nm

Researcher

Yeah, I would like to watch live hacking on bug bounty programs, that would definitely help us.


Posted on 2018-11-06 at 04:20:12pm (GMT)




rl1k

Researcher

Thanks for the answer and sorry i dont see someone answer it xD

For challenges it is a good idea i think because i think video can show some methodology/tips which are difficult to write clearly.

For the live hacking in bug bounty program i think i dont explain clearly what i call "live". When i say live it is not release/stream without any delay but that can be two months or whatever delay after the finding like we can see with write-up. And if we can do write-up/pOc video, i dont understand what can be illegal to make videos about how the researcher procceed to search bugs. But i really dont know about what is legal or not for that, i just ask if my first post wasnt clear about the "live" notion :D

Thanks


Posted on 2018-11-08 at 02:33:54pm (GMT)




rl1k

Researcher

oh and i just see we cant edit message so it will be useful to have this option too :p


Posted on 2018-11-08 at 02:35:10pm (GMT)




rl1k

Researcher

thanks that useful for guys like me who write faster than they think xD

and what's your point of view about the "live" hacking videos?? that's still illegal??

When i think about it i realize we must ask authorisation to the the company who have a bug bounty program first to be avoid problem.

and an other idea who can help guys who start to give them confidence and researcher can win too. we can make a section where a researcher can ask for who want help in with doing some recon, like finding subdomains,endpoint or whatever they want and the researcher trust or not the finding, if he dont trust and make his recon he must give the result to the guy who help him just to see what he miss, or at least say him you miss 2 subdomains or some endpoint. I believe in this if everybody play the game each side win and that make a real community but maybe im too much utopist lol

Thanks to read me again and i hope some researcher read this and give their 2cts


Posted on 2018-11-08 at 07:52:56pm (GMT)




zseano

Administrator Researcher

Sorry about that, it seems a slight bug caused it to delete my earlier posts.

I get what you mean. I thought you meant someone hopping on something like Twitch and doing some live bug hunting which is what I was referencing to with it being potentially illegal. :)

I like the idea.. a sort of live "hack with other hackers" and it's a challenge to do something, such as: "Identify subdomains of xyz" sort of thing? And then at the end people can share their results and help each other where they missed stuff etc?

Am I understanding this correctly? :)

"and what's your point of view about the "live" hacking videos?? that's still illegal??"

  • I think hacking a site regardless of them having a bugbounty program live for others to watch would be extremely frowned upon. Illegal, unsure. Assuming yes, perhaps I can get Amit to chime in here. :) However.. doing basic recon like just dorking/subdomain scanning? Now that's a grey area IMO because you could be seen as aiding other people (could be someone malicious watching you), despite you not actually doing any hacking yourself.

Now, if you had the above scenario with a group of trusted individuals and it was private? Probably ok. I like your thinking. :) (also noticed a slight UI bug with editing bugs :P)


Posted on 2018-11-08 at 11:47:26pm (GMT)




ice3man

Researcher

I think Derek Rook did a livestream a few months ago where he did some basic recon on CrowdStrike bug bounty program.

https://www.youtube.com/watch?v=1bivJl0B_bs

It would definitely be interesting if someone does it, though i think no-one will actually bother to do so because it would reveal their private methodologies and tricks, etc. Also, bug-hunting takes a lot of time and patience, so also the videos would become way too long.

If the person doing the video has some financial gains, then he might do it else i don't really think anybody would bother.


Posted on 2018-11-10 at 12:34:21pm (GMT)




rl1k

Researcher

i will reply later to develop some point but no i dont talk something like twitch with real "live" hacking but something like ippsec do on hackthebox. He record and publish the video later. So if we apply to bug hunting we can publish the video after the site accept to disclose the report but i understand what you mean. For the private group i really dont want something like that, the principal goal to all what i want to see is for educating/helping all people who have our passion :D To ice3man: Yeah but the goal is to share and if they dont want to show their "private" tricks/methodology so they arent the type of person who interest me. I think a lot of bug hunter ( 99% of them) forgot they arent researcher, they just used others real researcher's result and they can do that because those researchers dont have this capitalist/individualist mentality... Hopefully the real hacker community, the real skilled pentesters have the opposite mentality... Look Dave Kennedy, Ed Skoudis, Marcello(byt3bl33d3r), and all this guys, they share amazing tools and techniques, they help everyone!!!


Posted on 2018-11-10 at 04:54:51pm (GMT)
Edited on 2018-11-10 at 08:29:12pm (GMT)




zseano

Administrator Researcher

Perhaps as challenges grow and features on here I can introduce video answers? :) (I am working on a really big challenge with lots to play with, doing a video going through issues could be beneficial). Maybe I can get @LiveOverFlow to chime in here since he covers a lot of web stuff on his channel, would be awesome to see him tackling these challenges

Let me know your thoughts


Posted on 2018-11-13 at 01:04:18am (GMT)




d0nut

Researcher

Funny enough, I was just pitching this idea out last week. I would be willing to make a video like this!

Quick question: It's very likely the video will end up being 3-6 hours long (depending on how it takes me to find a bug; it's usually about that many hours for the first one). Should I keep the video unadulterated (except where I have to redact something) or should I try to cut the video down and just show a timer in the corner that corresponds with how long I've been looking.

My personal feeling is that it would genuinely be better if the video was left intact to help demonstrate just how much effort has to go into doing that initial poking around to find a bug.


Posted on 2018-11-19 at 02:19:10am (GMT)




bugmonkey

Researcher

I think it can be nice to film when you hunt for bugs, I know I like to watch ctf live and similar stuff, it gives me ideas. Once the bug is made public I think you could then post the video!


Posted on 2018-12-11 at 01:09:33am (GMT)