ITSPmagazine’s Marco Ciappelli and Sean Martin recently hosted Bugcrowd’s Senior Community Manager, Sam Houston, and two penetration testers who also double as bug bounty hunters, Jasmin Landry (@JR0ch17) and Darrell Damstedt (@hateshaped), on their podcast to take a deeper dive into the hacker community. In this episode, the group discussed the researcher community, the strategies Jasmin and Darrell use for bug hunting, hacker summer camp and the importance of ethical hacking.
Both Jasmin and Darrell are penetration testers on web applications and do bug bounties on the side, spending about 5-10 hours per week on bug bounties. As a researcher with limited time, it is important to have a strategy in place when approaching bug bounties agreed Jasmin and Darrell. There are different opportunities available, different platforms, different independent bug bounties run by organization themselves and then there are also private and public bug bounties.
Another important aspect of the researcher community is the experience of hacker summer camp. Throughout the year, events like BSides, Nullcon, and AppSec take place all over the world; however, arguably the biggest takes place over a week in Las Vegas in the height of summer. The combination of BSides Las Vegas, Black Hat, DEF CON and Queercon are affectionately known as “Hacker Summer Camp”. All of these hacker-focused events are great opportunities for researchers to come together, in real life, and actually, put faces to names (or faces to Twitter handles). These are community building events that bring together some of the world’s top researchers in one place to learn from one another, get different perspectives when it comes to hacking and of course to have some fun.
And lastly, they discussed the idea and importance of ethical hacking. Earlier this year, Bugcrowd, alongside Amit Elazari, launched Disclose.io. Disclose.io is a clear legal framework designed to protect organizations and researchers as they engage in vulnerability disclosure programs. Establishing clear language before launching a program has a two-fold benefit: organizations feel safe and avoid situations such as extortion or reputational damage, while security researchers who are acting in good faith can report bugs without facing legal repercussions.
To learn more about the hacker community, why penetration testers and bug bounty hunters do what they do, why they love being a security researcher, what motivates them and more, listen to the entire ITSPmagazine Podcast.