- Hive Five
- 🐝 Hive Five 139 - Challenges and Benefits of the Bug Bounty Ecosystem
🐝 Hive Five 139 - Challenges and Benefits of the Bug Bounty Ecosystem
Greetings from the hive!
When you’re building online, do it backward. Start from the end-user experience.
Amazon does this well. For new initiatives, a product manager writes an internal press release announcing the finished product. It has to be short and sweet, so less than a page and a half.
Then, if the benefits listed don’t sound very interesting or exciting to customers, they’ll keep iterating until they do or scrap it.
Let’s take this week by swarm!
🐝 The Bee’s Knees
DEF CON 31 - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare by STÖK. He spent over a year researching and digging into this bug class that’s been dormant for almost 2 decades, and this is just the beginning… YOUTUBE
Helping 3M+ children receive diapers with Ruby. Sean Marcia shows how his project, Human Essentials, and Ruby for Good helps children. YOUTUBE
Phineas Fisher, Hacktivism, and Magic Tricks. It’s said that a good magician never reveals their secrets. Computer hacking is a particularly good type of magic trick, and for the most part, hackers don’t reveal their secrets either. ISOSCELES
DEF CON 31 War Stories - A Series of Unfortunate Events by Ben Sadeghipour and Corben Leo. This talk includes a series of favorite hacking stories. YOUTUBE
Research investigating Bug Hunters’ Perspectives on the Challenges and Benefits of the Bug Bounty Ecosystem. Of 54 factors listed, earning higher reputation points on a bug hunting leader board was one of the lowest-ranked benefits. USENIX
Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
Noir v0.7.2 is an attack surface detector form source code: Fixed #95 (Add exception of Dir.glob). GITHUB
FFuF v2.1.0 is a Fast web fuzzer written in Go. There’s a good bunch of new features as well as some smaller fixes. GITHUB
jswzl 2023.3.6 is now out: Filter requests by scope, improved source map support, bug fixes and performance improvements TWITTER
Portswigger Web Security Academy released learning paths. The first two are Server-side vulnerabilities and SQL injection. PORTSWIGGER
Getting a Tech Job With No Qualifications. Marcus discusses how he got his first tech job without a single qualification and how you can follow a similar path to achieve the same. YOUTUBE
OSINT/SOCMINT entry level role (US time zone). TWITTER
A talk about taking UX design principles and ideas and applying them to resumes. YOUGOTTHIS
Understanding Equity As Part Of Compensation Packages. In this talk, they cover the different types of equity, how to evaluate/compare equity offers, what questions you can ask to get further clarity, and what to consider as equity vests. YOUGOTTHIS
Apply to become Google’s Security Engineer Intern of 2024. GOOGLE
Find out which hackers people look up to most. TWITTER
An XSS vulnerability was found in the chat during TASBot’s live stream of Super Mario Bros. 3. TWITTER
Apart from hacking, what else do you enjoy doing? For me it’s cooking, walking in nature, and listening to rap. TWITTER
Parenting Hacks Part 2: More Tips and Scripts from a Hacker Dad. REZ0
People sharing their most memorable security talks. TWITTER
Code Vulnerabilities Leak Emails in Proton Mail. In June 2022, the Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. SONARSOURCE
When URL parsers disagree (CVE-2023-38633). CANVA
Hacking Auto-GPT and escaping its docker container. An attack which leverages indirect prompt injection to trick Auto-GPT into executing arbitrary code when it is asked to perform a seemingly harmless task such as text summarization on an attacker controlled website. POSITIVE
Using AI for extracting Usernames, Emails, Phone Numbers, and Personal Names from large datasets. DUTCHOSINTGUY
How Secrets Leak out of Docker Images. TRUFFLESECURITY
dropboxignore allows you to exclude files from your dropbox using glob patterns and take advantage of existing .gitignore files. GITHUB
STÖK shares tips for a better stage presence, such as beginning with a hook and using images to tell the story. TWITTER
How to do hard stuff: write a one-pager, iterate until no gaps, and execute like crazy. TWITTER
Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets ‘Accept-Encoding: gzip, deflate, br’. If you’re still blocked, you might bypass it by tinkering with your TLS ciphers using “Network->TLS -> Use custom protocols and ciphers” TWITTER
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@dannypostmaa | Danny Postma | Indiepreneur building AI startups in public.
@wesbos | Wes Bos | Fullstack Dev ❯ JS CSS Node | @KaitBos ❯ @SyntaxFM.
@DanielMiessler | ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ | sᴇᴄᴜʀɪᴛʏ | ᴛᴇᴄʜɴᴏʟᴏɢʏ | sᴏᴄɪᴇᴛʏFounder of Unsupervised Learning. Exploring the models, patterns, and ideas that prepare you for what’s coming next…
@florinpop1705 | Florin Pop 👨🏻💻 | Dev and YouTuber | Working on @iCodeThis.
@pudsec | Shaun.
To get around quickly on my machine, I use Raycast. The app makes it simple, fast and delightful to control your tools. Here’s their YouTube channel filled with useful tips. YOUTUBE
The CEO of Obsidian shares his personal Obsidian vault template. A bottom-up approach to note-taking and organizing things he’s interested in. STEPHANGO
Danny shows you how to create a Back to school Template in Obsidian. YOUTUBE
Ryan Holiday’s 3-Step System for Reading Like a Pro: “I don’t read fast. Speedreading is bullshit.” YOUTUBE
“Focusing is about saying no” - Steve Jobs (WWDC’97). An excellent short answer on the importance of “no” to get focused, and the effect on people. YOUTUBE
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
DO NOT USE BUN (bun install is good dough) — there’s been a lot of excitement and drama surrounding Bun. Strager gives us a real world look at the tool. YOUTUBE
Kevin Kelly on Fame, Structuring Ideas, Writing Books, and Founding Wired Magazine. Kevin Kelly is one of the most important tech writers of the last half century. YOUTUBE
What’s new in HTML and CSS in 2023? The capabilities of HTML and CSS are always improving, and recently the pace has accelerated. YOUTUBE
Here’s a TIL for you: Michael Widenius is the main author of MySQL. He has three children – My, Max, and Maria – who inspired the names for MySQL, MaxDB and the MySQL-Max distribution, and MariaDB. WIKIPEDIA
OSS Insight is a powerful tool that provides comprehensive, valuable, and trending insights into the open source world by analyzing 5+ billion rows of GitHub events data. OSSINSIGHT
Some wisdom by TeacherGoals: “You are totally replaceable at work. You’re not replaceable at home. Home is your real life. Keep that perspective. Always.” TWITTER
Adam reminding founders to find a private group of other founder to be a part of. “You are suffering unnecessarily”, he says — I’d say that the same goes for creators and other groups. TWITTER
Hussein on moving at your own pace: “Everyone advances in life at his own speed. Don’t feel bad if someone you know did/got X and not you. Your day is coming, put in the hard work and celebrate soon.” TWITTER
Mario: The Infamous History of Level 5-2. YOUTUBE
I’ve recently found out that I thoroughly enjoy the mixture of country, blues, and soul. As portrayed in this performance by H.E.R. and Chris Stapleton performing Hold On (2021 CMT Music Awards). YOUTUBE
Defacto2 is a website committed to preserving the historic PC cracking and warez scene subcultures. DEFACTO2
People sharing what their favorite producer-artist combo is — What comes to mind is Justin Timberlake and Timbaland. TWITTER
27 Questions to Ask Instead of “What Do You Do?”. The article says to “Aim for questions that invite people to tell stories, rather than give bland, one-word answers.” BUFFER
Pollen is produced in the anthers of flowering plants. This fine powdery substance is made up of microscopic grains, each containing a male gamete capable of fertilizing the female ovule or seed. Pollen is transported to the female ovule by bees visiting flowers of the same species, and also by wind, other insects, and animals.
This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to the Hive Five to read the rest.
Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In