hacker101.com and join the community Discord. There's a ton of Bug Bounty hunting content on the internet. Plenty of room to explore and find your niche.
I can't find the article right now, but I remember reading an article many years ago on Wired about the Obama campaign and their use of targeting and "big data". Really interesting stuff about how they were buying TV spots and the Romney campaign couldn't figure out why, and how their use of technology was a massive advantage.
I'm having trouble articulating this, so bear with me.
In general, having a Bug Bounty program is good. We can agree on that, right?
Most Bug Bounty programs have a scope, and staying inside the scope is important to the business for reasons. My guess is that most scopes are defined by a combination of confidence in the security of the code, resources to triage vulnerabilities in that part of the code, and the risk to the business from vulnerabilities found in different parts of the code.
That is to say, I suspect that either Valve doesn't have many developers well versed in that part of the code base, or they are not confident in the security of that code base, or they considered it a low priority (even if we disagree about the priority of this vulnerability).
Now, let's pretend that I'm right about those reasons. Even further, let's pretend that they did not include it in the scope because they don't want to pay a bunch of bounties on code they knew was insecure.
(Aside, I'd much rather have companies only include things in bug bounty programs once they're confident they are secure, relying on BB to do your security for you is begging for trouble because then the company isn't taking responsibility for, or even trying, to do things securely)
Given this train of thought, which is making more than a couple assumptions, I don't think their actions are extremely bad or pointless. They are trying to keep their bug bounty program in scope. Bug bounty programs involve a fair amount of trust. If that trust is broken and they don't want that researcher anymore, then that's fair.
There probably should have been better communication. It probably (definitely) shouldn't have been a WONTFIX. Overall, terrible outcome for everybody.
It's just one of those things where every decision looks reasonable in isolation and leads to a really bad outcome and the company looking terrible.
Retailiated as in he was banned from their bug bounty program. The program with a scope that they went outside of. I think it's reasonable to be banned.
Obviously it would be better if Valve fixed the issue and gave a (possibly reduced due to out of scope) bounty.
The researcher can still disclose it, they just aren't going to get permission to disclose it on the Hackerone program. Most things out of scope don't get publicly disclosed as far as I know.
b) Researcher reports vulnerability that falls under X
c) Since it's out of scope, it's closed as N/A
d) Report is locked because company doesn't want to publicly disclose a vulnerability in their system via the Hackerone platform
What's the problem here? Just go with normal vulnerability disclosure. Bug bounty programs are a two way street, and respecting the scope is part of that.
Edit: I guess the important part is that the researcher was then banned for disclosing the report. Seems reasonable, honestly. I don't agree with it, but I understand it.
My guess is that their traction and market dominance are far more fragile than you think. Because their drivers are contractors and not employees, they can't be forced to only work for Uber, so even though they created the pool of drivers, they have not "captured" them. So a huge cost is the ride subsidies which maintain their market position. Once the ride subsidies end, there is no reason that a locally focused company can't compete for the same drivers and riders.
From what I've read, when Uber started their app technology was borderline magical (pushed the boundaries of what smartphones could do), but since that's no longer the case, there is much less of a barrier to entry.
I want to make sure that I understand your analogy.
- The right to secure encryption is like the right to bear arms
- Government mandated weakened encryption are like gun control
- The victims of weak encryption (stolen data for example) are similar to innocents harmed by gun control? (I'm not sure on this one, please correct me if I'm wrong).
- Saying weak encryption is bad is like saying gun control is bad
I'm not trying to straw man you, if that's not what you mean, please correct me.
I don't think you need a conspiracy to get to a place where in aggregate the decisions of people in control create or perpetuate a poor underclass.
Just like some companies make decisions for the benefit of the next quarter, rather than the next 5 years. If you are able to make a decision that increases near term metrics, at the expense of some other metric you aren't even paying attention to (like making poor people poorer) I can see that happening independently thousands of times a day.
Take payday loans, more commonly used by people with a lower socio-economic standing. They aren't there to create an underclass, they are there to provide a service (loans) at a cost that matches the risk (ignoring the conversation about the cost not matching the risk due to predatory loans). But if decisions are made to increase profit from payday loans, a natural consequence is that the underclass is going to be made more of an underclass.
This is just one example, and it's clearly got some issues. I have no problem imagining many other decisions that will help create an underclass. Maybe the impact is 2 or 5 steps removed, but each one makes a difference, and leads to in aggregate "the rich work to keep the poor, poor".
But what do I know. I'm a developer who took one econ course.
> 3. 10x engineers laptop screen background color is typically black (they always change defaults). Their keyboard keys such as i, f, x are usually worn out than of a, s, and e (email senders).
I doubt you would get a positive reaction because listening to music isn't considered a problem. There might be a lot of reasons for that, one of them might be that most people don't sit and exclusively listen to music.