I’ve been thinking a lot lately about the different types of thinking, approach, and general mentality that different hackers bring to the table.
Broadly, there are two things that come into play: The level of experience, and the overall wiring of the hacker.
It’s an interesting subject in the bug bounty space because of the model… The first to find each vulnerability gets rewarded, and the reward is bigger for issues with more impact.
This little spurt of tweets lead to the inevitable question from @0ctac0der — Someone who has been in bounty hunting for a long time and who I consider to be a particularly thoughtful person:
The question of “best” is a fascinating one… The more QA focused testers often find a larger volume of lower criticality vulnerabilities that the Impact focused don’t have time to go and find because they’re occupied with the more complex exploitation that’s often involved in higher impact vulnerabilities.
To be continued…