Some things that happened to me while doing Bug Bounty: 1. Downgrading the score of a vulnerability that was previously reported twice and rated as "Medium". 2. Reporting to a open source project, they see the bug, they remove all the files from their Github, bumped up the version, then, told me that I've found the vulnerability in an older version. 3. The program imported all the existing bugs into the platform, afterwards, marked them as duplicate once they got reported. And the list goes on, the lesson is simple, never hack for free. All the best for you and your family, Jason.

This kinda guy is worshipped by everyone in their respective field. Someone who speaks up against the odd. Mad respect to boss haddix the legend.

Mad respect to Haddix for this truth telling. No doubt he's been conflicted about this stuff for a long time and is finally in a position where he feels like he can talk about it. Something else that needs to be addressed is that when researchers are continuously facing these BS practices, many of them might just opt to sell their P-1 / 0 days to a buyer that pays way more and with much less friction than the programs.

Seeing you speak on this, makes the rest of us feel like we can too. Thank you for having the courage to say what we've all been thinking. We love you, jHaddix ❤

I love this talk and have the highest respekt of Jason. He is one of the most brilliant minds in the Bug Bounty scene and such a wonderful human being. He doesn't have to fight for this community, he does it at will. I admire your support for the "nonames" and new hunters in the field. May god bless you and your wife. 🙏🏻

Wishing the best for you and your family Jason ❤

Thanks for helping us up and comers! Prayers for your family.

Jhaddix you the man. You took big risks doing this but you did what is right and we appreciate you.

As usual Jason's talks are always very interesting.

It should be well known by now, never to short, be stingy with, get over on or underestimate your hackers... When very talented researchers get screwed over they begin to thinking and being a legitimate researcher isn't worth it, and go from reporting bugs to selling exploits on the black market.

Awesome talk by jason haddix thanks, And Prayers to your family jason 🙏

Wow that's nuts about the traffic being monitored for the top 250. It would be petty cash to them AND create competition by paying those 250, but they discourage them instead.

This needs to be put out there even more

Almost all of the issues here seem like they come from the same reason we have unions for regular employees… Hackers union anyone?

Some hackers create informative content, and that's a good thing. However, I believe that sometimes you need to stand up for your community. It's great content, and I respect you, bro.

Thanks for speaking up! I've discovered a high severity vulnerability in a well-known social media platform a couple months ago. The triaging process was an absolutely ridiculous shit show. It took 6 months, included two interventions from the platform's support team and right before the payout, they decreased the severity rating reducing the payout by 90%. 0/5 Never again.

Wow, really eye opening! Thank you very much

Pissing off hackers is a very bold move

Putting personal shit to one side to work is the epitome of a professional. Excellent talk. I hope your wife recovers.

❤

wishing your wife a speedy recovery Thanks JHaddix

very hard to navigate appreciate you advocating for the little guy always

Glorified ticketing system

It would appear to me that the bug bounty program is corrupted and should not be something to participate in.

Seems like all that really needs to happen is companies and especially Platforms being taught a lesson. Bounty platforms should also be anonymous, there should be no room for celebrity/favoritism or targeted monitoring. If we're in this to make things more secure and get paid, then bug bounty programs and platforms should really try to incentivize white hat behavior. If I'm not going to get paid either way, the world will become more secure by forcing companies to listen and practice security if their vulns given away in alternative markets. If they're going to make getting compensated fairly difficult, you can just name your price elsewhere...

Another excellent talk!!

I have learnt something but also discouraged, whether to start bug bounty or something else........please advice..

Amazing talk! thanks for sharing Jason!

Question - at 4:03 Jason mentions that AI is being used to train on attack traffic and to build services out of it. Is it possible that AI is being used to become bounty hunters themselves?

A wise man says wise things

3 times bugcrowd has said that my report was a dupe and a year later the vuln is still there. I also think a triager took my vulns and brushed me off

Welcome to the WESTERN WORLD of capatilisme. You deserve more credit for your work.

amazing presentation. thank you!

How can the contract bind you re: the submission if you received no money(consideration) for the submission? It is not illegal to sell unregulated information, and it’s definitely not illegal to share unregulated information for free, the platforms and ultimately the customers are buying your right to do those things, and if they choose not to buy it your rights should be unchanged.

This is why some would rather sell their discoveries on the dark web.

I'd drop everything to be at my wife's side, instead of worrying about using mild swear words at a talk that certainly won't change the world. but that's just me. all the best to you and yours, mr haddix

🎉 great talk , though it maybe underrvalued your illustrated valuable insights into shady platforms and shit loads that occur to bug hunters, misrepresentation etc, nice talk

I am starting hunting nowadays but I am a little afraid of this question Will bug hunt decline or end with the rise of the AI?

They most probalbly think "thats their passion. They do it anyway, why should we pay for this?!" That is on so many sides just wrong and abusive. But i think its also a hint about who these people are. And think about if the hacking comunity should not branch out and make their own Bug bounty site. They have all the expertise. Dear .... If you read this idea and start doing it. Reach out to me and take me on board for sparking that process :) In a few years i will do it, bringing the right people together :)

There are also organizations that wait for you to publicly disclose vulnerabilities and intentionally ignore your reports so you do so, platforms that suggest bugs are not shared with customers but are. The struggle they are face with are the legal implications of not protecting their systems. Lately the pros of ethical reporting are outweighed by the cons. I hope your talk inspires change.

This is why I’m extremely paranoid about how I submit bugs and tend to sell them instead. My time and skills are valuable.

you have my respects man, but I was expecting mentioning about wanna be hackers that throws shitty reports and spams both platform triagers and programs' security teams, hoping to full them to get a 100$ bounty

Why not make A but bounty "union" that instead acts as an intermediary between hunters and the platforms taking the contracts for bug bounties. If the platforms wont take your bugs because you didn't sign A contract, then you now have A barrier for negotiating. The bugs can be sent to either regulators(Does threatening to report A crime count as extortion?) or the company themselves with the advantage that A group representative has A larger megaphone to(responsibly) disclose publicly that this company would not pay you under this more equitable arrangement. Best I got. But I think it's A better plan than hoping they simply choose to be less exploitative.(On the internet?)

This is the reason I didn't pursue these platforms. I literally signed up, and found an XSS attack on a site. It took me like 10 minutes. And I couldn't believe it. But when I submitted the report, they said it was already found. It probably was, as it was so easy. But why wasn't it fixed? And there's no proof. Fook that.

Where can I sign up? Can’t be worst than AT&T

Great talk

I brought this topic up to Dr. Hinton respectfully..

This is sad, i thnk the black market is better

Great talk!

lets implment some decentralized id or attachment which can trace out for found instances and properly pay for percentage to hunter

wow respect to jasson haddix

I thought bug crowd was when more than 4 gay people formed a line?

🔥🔥🔥

Love you haddix

Have seen BC employees stealing research (0day) then claiming the bounty on other targets leveraging the same tech stack. Repulsive behavior and blacklisted. Also seen employed hackers within firms share a 0day within the firm with strict instructions do duh, DO NOT LEAK to then be abused/leaked by said "future" employee who even went as far as asking on twitter for some bypasses for this very specific vector. BB is a scam.

This is kinda messed up

3rd party shit happened to me,, with full access to cloud read and write,, with all the employees data.

Hackers being replaced by AI before GTA 6

Also- the court systems - online.

he should have named it "how to hack the hacking community"

Very interesting, and definitely food for thought. Doesn't sound very realistic though. "Shitty customers" feels like "anyone who doesn't do what I'd advise".

my dude

STOP HELPING THEM!! LET THEM EAT THE BUGS!

(Better now?) American Magnet ;))

youre not getting any cash thats for one

Rep++

/notes

Microsoft the biggest ip thief

YOLO :p

bug bounty is scam :)

Freakin Jason HaddiX! best wishes to your FAM bro @jasonhaddix

Thanks @jhaddixP 100% Truth.