I had my first confirmed bug last week, I've not asked for pubic disclosure yet but will do in the future, although now I'm participating in these bug bounty program I see why some researchers are at logger heads with whether to publicly disclose their vulns or not, well watch this space.
Some things I've learned quickly
- Do not under estimate the power of reading publicly disclosed vulnerabilities.
- Do not underestimate the knowledge you get from reading the web application hackers handbook [pdf didnt help] I needed the physical book for sure
- OWASP top 10
- The wide range of deliberate vulnerable apps [mutilidae, DVWA, BWAPPS, webgoat etc]
- be patient there are lots of bounty hunters, but there is more than enough bugs for everyone and they wont be going away anytime some.
- vendors paying out for bounties which are out scope, while its good vendors pay and/or acknowledge bugs that are out of scope, just think whats been missed by researchers as they didn't know a particular domain was in scope.
- people begging bounty, yes we all need to eat and i'll be the first to say I'm doing this firstly for the money and as each day goes by and im seeing more and bugs in applications I use I see why people also do this not for the money but for the benefit of everybody involved.
no body was born (as far as I know) with the ability to walk or run, yes we had the means to (legs) but they had to learn first (knowledge) this applies here in this field to, in a nutshell
beginners
dont try run before you can walk
experts/seniors/elders
we all have to start from somewhere
peace
