Quick update around automated testing
We just added the following guidance to the program brief today; feel free to reach out to firstname.lastname@example.org if you have any questions!
- Please DO NOT use automated vulnerability scanners when testing against the in-scope targets (Zap/Burp/Acunetix/Nikto/Nessus/etc) - all of these tools have already been run, and are run on a recurring basis internally. Running any tools of this nature is largely a waste of your time and resources.
- However, you ARE encourage to run any custom scripts or fuzzers that you or have developed (e.g. niche file or directly wordlists, etc); however, please keep your requests using these tools to UNDER 50 requests per second.
- In short, we strongly encourage researchers to perform manual testing by hand - this is where you're much more likely to achieve success, and a much better use of your time and resources, as opposed to running common tools that have already been used extensively against the in-scope targets, etc.
- Please be aware that Submissions found using pirated software will not be rewarded.
- Good luck, and happy hunting!