In this seventh episode of Access Control, a podcast providing practical security advice for startups, Ben Arent chats with Ben Sadeghipour ( AKA (https://twitter.com/NahamSec ), Head of Hacker Education at https://www.hackerone.com/ and Hacker by night. This episode is a deep dive into how startups can leverage the power of crowd sourced hackers to find bugs and security issues in your apps. Ben Sadeghipour has over 685 vulnerabilities found in major sites such as Snapchat, AirBnB and even the U.S. Department of Defense, Hacker One helps companies by providing tools to help with response assessments and running their bug bounty programs.
If anyone ever wants to ask Ben any questions about bug hunting, bug bounty programs, you're always welcome to reach out to be Ben at [@NahamSec](https://twitter.com/NahamSec), https://nahamsec.com/ and on his [Discord](https://discord.com/invite/ysndAm8)
Key topics on Access Control Podcast: Episode 7 - Hacker-Powered Security
- Bug bounty programs and vuln disclosure programs are similar,
- except the first pays and the second doesn't.
- The scope of bounty programs usually encompasses a company's main
- application where the production sites are happening. What is out of
- scope is mostly third parties.
- Rules of engagement depend on the bug bounty program and the company.
- Some programs pay for credential stuffing, but not for phishing since companies don't want you to phish their employees and customers.
- How much hackers are paid in a bug bounty program is entirely up to the company and depends on its budget.
- Determining the bug severity level depends on a combination of the vuln type and how critical it is and the asset itself.
- Hackers care more about how fast they get paid than about how quickly the company fixes the issue.
- A bug bounty program doesn't make you a bigger target.
- Building a public bug bounty program depends on the product and size of the company.
- Improve Input validation to reduce bugs created