just a suggestion for noobs like me
Posted in BugBounty Discussion by @rl1k
There is a lot of content/tutorial about how to become a bug hunter, about methodlogy etc but i think it will be interesting to see it in "live" without explaining because finding bugs and explaining all sort of things can be counterproductive, i can make the editing or just a timestamp i dont know what is the best. And for researcher who want stream this, they can ask for guys like me who need to train and like to see if they make something wrong or if i miss something, we can help the bug hunter with some info gathering or whatever. I know that make hours and hours of videos but i can give my time and im sure im not the only one :) I dont know if you understand the idea but i think we can make a win-win "trade" and like a lot of good youtube channel do CTF live we can make a bug bounty live where all win.
All opinion are welcome and if zseano is interested to create this section here or i must try it somewhere else because that suxxx :p
Thanks for your time
Yeah, I would like to watch live hacking on bug bounty programs, that would definitely help us.
Thanks for the answer and sorry i dont see someone answer it xD
For challenges it is a good idea i think because i think video can show some methodology/tips which are difficult to write clearly.
For the live hacking in bug bounty program i think i dont explain clearly what i call "live". When i say live it is not release/stream without any delay but that can be two months or whatever delay after the finding like we can see with write-up. And if we can do write-up/pOc video, i dont understand what can be illegal to make videos about how the researcher procceed to search bugs. But i really dont know about what is legal or not for that, i just ask if my first post wasnt clear about the "live" notion :D
oh and i just see we cant edit message so it will be useful to have this option too :p
thanks that useful for guys like me who write faster than they think xD
and what's your point of view about the "live" hacking videos?? that's still illegal??
When i think about it i realize we must ask authorisation to the the company who have a bug bounty program first to be avoid problem.
and an other idea who can help guys who start to give them confidence and researcher can win too. we can make a section where a researcher can ask for who want help in with doing some recon, like finding subdomains,endpoint or whatever they want and the researcher trust or not the finding, if he dont trust and make his recon he must give the result to the guy who help him just to see what he miss, or at least say him you miss 2 subdomains or some endpoint. I believe in this if everybody play the game each side win and that make a real community but maybe im too much utopist lol
Thanks to read me again and i hope some researcher read this and give their 2cts
Sorry about that, it seems a slight bug caused it to delete my earlier posts.
I get what you mean. I thought you meant someone hopping on something like Twitch and doing some live bug hunting which is what I was referencing to with it being potentially illegal. :)
I like the idea.. a sort of live "hack with other hackers" and it's a challenge to do something, such as: "Identify subdomains of xyz" sort of thing? And then at the end people can share their results and help each other where they missed stuff etc?
Am I understanding this correctly? :)
"and what's your point of view about the "live" hacking videos?? that's still illegal??"
- I think hacking a site regardless of them having a bugbounty program live for others to watch would be extremely frowned upon. Illegal, unsure. Assuming yes, perhaps I can get Amit to chime in here. :) However.. doing basic recon like just dorking/subdomain scanning? Now that's a grey area IMO because you could be seen as aiding other people (could be someone malicious watching you), despite you not actually doing any hacking yourself.
Now, if you had the above scenario with a group of trusted individuals and it was private? Probably ok. I like your thinking. :) (also noticed a slight UI bug with editing bugs :P)
I think Derek Rook did a livestream a few months ago where he did some basic recon on CrowdStrike bug bounty program.
It would definitely be interesting if someone does it, though i think no-one will actually bother to do so because it would reveal their private methodologies and tricks, etc. Also, bug-hunting takes a lot of time and patience, so also the videos would become way too long.
If the person doing the video has some financial gains, then he might do it else i don't really think anybody would bother.
i will reply later to develop some point but no i dont talk something like twitch with real "live" hacking but something like ippsec do on hackthebox. He record and publish the video later. So if we apply to bug hunting we can publish the video after the site accept to disclose the report but i understand what you mean. For the private group i really dont want something like that, the principal goal to all what i want to see is for educating/helping all people who have our passion :D To ice3man: Yeah but the goal is to share and if they dont want to show their "private" tricks/methodology so they arent the type of person who interest me. I think a lot of bug hunter ( 99% of them) forgot they arent researcher, they just used others real researcher's result and they can do that because those researchers dont have this capitalist/individualist mentality... Hopefully the real hacker community, the real skilled pentesters have the opposite mentality... Look Dave Kennedy, Ed Skoudis, Marcello(byt3bl33d3r), and all this guys, they share amazing tools and techniques, they help everyone!!!
Edited on 2018-11-10 at 08:29:12pm (GMT)
Perhaps as challenges grow and features on here I can introduce video answers? :) (I am working on a really big challenge with lots to play with, doing a video going through issues could be beneficial). Maybe I can get @LiveOverFlow to chime in here since he covers a lot of web stuff on his channel, would be awesome to see him tackling these challenges
Let me know your thoughts
Funny enough, I was just pitching this idea out last week. I would be willing to make a video like this!
Quick question: It's very likely the video will end up being 3-6 hours long (depending on how it takes me to find a bug; it's usually about that many hours for the first one). Should I keep the video unadulterated (except where I have to redact something) or should I try to cut the video down and just show a timer in the corner that corresponds with how long I've been looking.
My personal feeling is that it would genuinely be better if the video was left intact to help demonstrate just how much effort has to go into doing that initial poking around to find a bug.
I think it can be nice to film when you hunt for bugs, I know I like to watch ctf live and similar stuff, it gives me ideas. Once the bug is made public I think you could then post the video!