ugh, I have been reminded that bug bounties exist. you could not pay me enough to be on the triage team for a bounty program. talk about a recipe for disillusionment.
@gsuberland bug bounties aren't real, it's just bits of coconut
@gsuberland I’ve done cover for our security guy in a previous job. So much junk along the lines of “your web server is saying what version it is”.
Yes. Yes it is. Were you able to do anything with that information other than establish there’s no known exploits for that version?
@gsuberland I feel really bad for the teams who are inevitably dealing with ChatGPT sourced bounty submissions...
@SnoozyRests yeah apparently there was an article about that today, and this post was inspired by 0xabad1dea posting about it earlier:
@SnoozyRests and yeah, look at this shit:
@gsuberland Christ alive, the fact they just keep digging. Patience of a saint you got there @bagder !
@Truck I haven't read it yet, I just saw 0xabadidea post about it earlier.
@jon the mountains of junk reports are definitely a major factor for why running them sucks, but it's also the constant adversarial / near-gaslighting tone from folks who've found something but want to hype the impact as hard as possible to get a big payout. it's also not unusual to have people sending you sob-stories about poverty, to try to get a small payout on a fairly useless report, and since there's no way to know whether they're true or not it just wears you down hard.
@jon also, endless sealioning and bitterness from people whose bugs don't get a payout. and all the personality cult fanboi nonsense in the bug bounty "community", with all the arguments and harassment that brings.