ugh, I have been reminded that bug bounties exist. you could not pay me enough to be on the triage team for a bounty program. talk about a recipe for disillusionment.
@gsuberland I’ve done cover for our security guy in a previous job. So much junk along the lines of “your web server is saying what version it is”.
Yes. Yes it is. Were you able to do anything with that information other than establish there’s no known exploits for that version?
@jon the mountains of junk reports are definitely a major factor for why running them sucks, but it's also the constant adversarial / near-gaslighting tone from folks who've found something but want to hype the impact as hard as possible to get a big payout. it's also not unusual to have people sending you sob-stories about poverty, to try to get a small payout on a fairly useless report, and since there's no way to know whether they're true or not it just wears you down hard.
@jon also, endless sealioning and bitterness from people whose bugs don't get a payout. and all the personality cult fanboi nonsense in the bug bounty "community", with all the arguments and harassment that brings.