🐝 Hive Five 139 - Challenges and Benefits of the Bug Bounty Ecosystem

Hi friends,

Greetings from the hive!

When you’re building online, do it backward. Start from the end-user experience.

Amazon does this well. For new initiatives, a product manager writes an internal press release announcing the finished product. It has to be short and sweet, so less than a page and a half.

Then, if the benefits listed don’t sound very interesting or exciting to customers, they’ll keep iterating until they do or scrap it.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. DEF CON 31 - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare by STÖK. He spent over a year researching and digging into this bug class that’s been dormant for almost 2 decades, and this is just the beginning… YOUTUBE

2. Helping 3M+ children receive diapers with Ruby. Sean Marcia shows how his project, Human Essentials, and Ruby for Good helps children. YOUTUBE

3. Phineas Fisher, Hacktivism, and Magic Tricks. It’s said that a good magician never reveals their secrets. Computer hacking is a particularly good type of magic trick, and for the most part, hackers don’t reveal their secrets either. ISOSCELES

4. DEF CON 31 War Stories - A Series of Unfortunate Events by Ben Sadeghipour and Corben Leo. This talk includes a series of favorite hacking stories. YOUTUBE

5. Research investigating Bug Hunters’ Perspectives on the Challenges and Benefits of the Bug Bounty Ecosystem. Of 54 factors listed, earning higher reputation points on a bug hunting leader board was one of the lowest-ranked benefits. USENIX

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. Noir v0.7.2 is an attack surface detector form source code: Fixed #95 (Add exception of Dir.glob). GITHUB

2. FFuF v2.1.0 is a Fast web fuzzer written in Go. There’s a good bunch of new features as well as some smaller fixes. GITHUB

3. jswzl 2023.3.6 is now out: Filter requests by scope, improved source map support, bug fixes and performance improvements TWITTER

4. Portswigger Web Security Academy released learning paths. The first two are Server-side vulnerabilities and SQL injection. PORTSWIGGER

📅 News

1. BSides CambridgeMA is a community-organized 1-day information security and hacker conference on November 18, 2023. BSIDESCAMBRIDGEMA

2. Applications for HackerOne’s Brand ambassador program are open. TWITTER

🎉 Celebrate

1. HackerOne wrapped up H1-813. Congrats to all award winners! TWITTER

2. Jexx started as a Product Marketing Specialist at Hack The Box. Let’s go! TWITTER

3. Happy birthday to John Hammond! TWITTER

💰 Career

1. Getting a Tech Job With No Qualifications. Marcus discusses how he got his first tech job without a single qualification and how you can follow a similar path to achieve the same. YOUTUBE

2. OSINT/SOCMINT entry level role (US time zone). TWITTER

3. A talk about taking UX design principles and ideas and applying them to resumes. YOUGOTTHIS

4. Understanding Equity As Part Of Compensation Packages. In this talk, they cover the different types of equity, how to evaluate/compare equity offers, what questions you can ask to get further clarity, and what to consider as equity vests. YOUGOTTHIS

5. Apply to become Google’s Security Engineer Intern of 2024. GOOGLE

⚡️ Community

1. Find out which hackers people look up to most. TWITTER

2. An XSS vulnerability was found in the chat during TASBot’s live stream of Super Mario Bros. 3. TWITTER

3. Apart from hacking, what else do you enjoy doing? For me it’s cooking, walking in nature, and listening to rap. TWITTER

4. Parenting Hacks Part 2: More Tips and Scripts from a Hacker Dad. REZ0

5. People sharing their most memorable security talks. TWITTER

📰 Read

1. Code Vulnerabilities Leak Emails in Proton Mail. In June 2022, the Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. SONARSOURCE

2. When URL parsers disagree (CVE-2023-38633). CANVA

3. Hacking Auto-GPT and escaping its docker container. An attack which leverages indirect prompt injection to trick Auto-GPT into executing arbitrary code when it is asked to perform a seemingly harmless task such as text summarization on an attacker controlled website. POSITIVE

4. Using AI for extracting Usernames, Emails, Phone Numbers, and Personal Names from large datasets. DUTCHOSINTGUY

5. How Secrets Leak out of Docker Images. TRUFFLESECURITY

💡 Tips

1. dropboxignore allows you to exclude files from your dropbox using glob patterns and take advantage of existing .gitignore files. GITHUB

2. STÖK shares tips for a better stage presence, such as beginning with a hook and using images to tell the story. TWITTER

3. How to do hard stuff: write a one-pager, iterate until no gaps, and execute like crazy. TWITTER

4. Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets ‘Accept-Encoding: gzip, deflate, br’. If you’re still blocked, you might bypass it by tinkering with your TLS ciphers using “Network->TLS -> Use custom protocols and ciphers” TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @dannypostmaa | Danny Postma | Indiepreneur building AI startups in public.

2. @wesbos | Wes Bos | Fullstack Dev ❯ JS CSS Node | @KaitBos ❯ @SyntaxFM.

3. @DanielMiessler | ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ | sᴇᴄᴜʀɪᴛʏ | ᴛᴇᴄʜɴᴏʟᴏɢʏ | sᴏᴄɪᴇᴛʏFounder of Unsupervised Learning. Exploring the models, patterns, and ideas that prepare you for what’s coming next…

4. @florinpop1705 | Florin Pop 👨🏻‍💻 | Dev and YouTuber | Working on @iCodeThis.

5. @pudsec | Shaun.

🚀 Productivity

1. To get around quickly on my machine, I use Raycast. The app makes it simple, fast and delightful to control your tools. Here’s their YouTube channel filled with useful tips. YOUTUBE

2. The CEO of Obsidian shares his personal Obsidian vault template. A bottom-up approach to note-taking and organizing things he’s interested in. STEPHANGO

3. Danny shows you how to create a Back to school Template in Obsidian. YOUTUBE

4. Ryan Holiday’s 3-Step System for Reading Like a Pro: “I don’t read fast. Speedreading is bullshit.” YOUTUBE

5. “Focusing is about saying no” - Steve Jobs (WWDC’97). An excellent short answer on the importance of “no” to get focused, and the effect on people. YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. DO NOT USE BUN (bun install is good dough) — there’s been a lot of excitement and drama surrounding Bun. Strager gives us a real world look at the tool. YOUTUBE

2. Kevin Kelly on Fame, Structuring Ideas, Writing Books, and Founding Wired Magazine. Kevin Kelly is one of the most important tech writers of the last half century. YOUTUBE

3. What’s new in HTML and CSS in 2023? The capabilities of HTML and CSS are always improving, and recently the pace has accelerated. YOUTUBE

4. Here’s a TIL for you: Michael Widenius is the main author of MySQL. He has three children – My, Max, and Maria – who inspired the names for MySQL, MaxDB and the MySQL-Max distribution, and MariaDB. WIKIPEDIA

5. OSS Insight is a powerful tool that provides comprehensive, valuable, and trending insights into the open source world by analyzing 5+ billion rows of GitHub events data. OSSINSIGHT

🧠 Wisdom

1. Some wisdom by TeacherGoals: “You are totally replaceable at work. You’re not replaceable at home. Home is your real life. Keep that perspective. Always.” TWITTER

2. Adam reminding founders to find a private group of other founder to be a part of. “You are suffering unnecessarily”, he says — I’d say that the same goes for creators and other groups. TWITTER

3. Hussein on moving at your own pace: “Everyone advances in life at his own speed. Don’t feel bad if someone you know did/got X and not you. Your day is coming, put in the hard work and celebrate soon.” TWITTER

💛 Cross-pollination

1. Mario: The Infamous History of Level 5-2. YOUTUBE

2. I’ve recently found out that I thoroughly enjoy the mixture of country, blues, and soul. As portrayed in this performance by H.E.R. and Chris Stapleton performing Hold On (2021 CMT Music Awards). YOUTUBE

3. Defacto2 is a website committed to preserving the historic PC cracking and warez scene subcultures. DEFACTO2

4. People sharing what their favorite producer-artist combo is — What comes to mind is Justin Timberlake and Timbaland. TWITTER

5. 27 Questions to Ask Instead of “What Do You Do?”. The article says to “Aim for questions that invite people to tell stories, rather than give bland, one-word answers.” BUFFER

🐝 Fact

Pollen is produced in the anthers of flowering plants. This fine powdery substance is made up of microscopic grains, each containing a male gamete capable of fertilizing the female ovule or seed. Pollen is transported to the female ovule by bees visiting flowers of the same species, and also by wind, other insects, and animals.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to Premium to read the rest.