escrow

@p6rkdoye0n But you can just ban the malicious peer that is providing falsified heights and sync w/o an issue post-ban? Plus, the attacker can't do much with this if the workaround is so easy - even if they scale. I also see an informational, and not a 0day or a 7.1 to be honest.

This post does not work in your favour my friend. HTB literally state for CWES: "Successfully completing all web penetration testing activities is not enough" and "will have to prove they are market-ready and client-centric professionals" under their "Commercial-grade Report Requirement" heading. 99% of the people/companies who are your clients in the corporate world cannot understand the technicalities. They require generic / concise explanations on a report. The same logic applies to concise explanations on sections which should be deeply technical. Many different eyes see these reports. They need to be good and tailored to everybody (or whatever the relevant conditions are). Your examiner's feedback is really good too. You should definitely be mad at yourself, and not HTB. You could have 200 CVEs next to your name. That does not automatically translate into being able to construct good pentest reports, because of... language barriers which may exist, for example.

It's not about "protecting" the criminals. It just isn't a good perspective. 1 - You need to understand that not everybody cares about how things should be done, or what should be followed, etc. Take the ransomware industry for instance. There are actors out there who ransom private hospitals. You think they care about proper channels? You will never change their mind. Also, laundering money and keeping a tight opsec is not exactly hard if you know what you are doing. They know they have the advantage, and they know what is possible and what isn't. That in itself allows them to have an ego in whatever way is possible. 2 - True. I personally think this contributes to the problem as it is from inaccurate judging and projects intentionally lowballing whitehats etc. It opens the door to this style of thinking. 3 - Why would they return all funds when they can guarantee the 10% and be in the exact same situation of criminal liability? Whether you keep all, return 90% or return all, you have the same legal problems. The act is done. They are all equal. Which one you deem as correct or wrong is irrelevant because it is subjective. You are already in a tainted context full of wrongs. You need to remember they have the cards in their favour almost always. No limits on scope. No limits on judging. Yet whitehats - within the same hunting context(s) - are limited by those two factors incredibly. Blackhat activity will always exist, because it is also a moral and ethical problem. Improving judging and making projects not lowball whitehats will decrease blackhat activity by quite a fair amount imho, but you won't ever remove the blackhats who simply don't care about anything and/or are reckless. It's like trying to aim for no crime globally. Good luck.

Stay on topic [impossible challenge]. I don't need to understand your internal business affairs to tell you how absurd of a statement (for instance) "CertiK, Trail of Bits, OpenZepplin and many other similar auditing platforms are not able to do the same so there won’t be much of a competition" is. Anybody who does bug bounty (or overall red teaming or blue teaming) will understand why I'm critiquing a statement like this or the previous ones. And no, your statements don't make sense because all of your posts are generically worded for hits. You then invoke delusional cybersec takes and that's why I'm calling you out on them. You don't see them as delusional because you don't have enough experience to be able to realise what is (or sounds) bs or not. It is extreme corporate / PR talk. "and yesterday found a half a million dollar bug for this month which I’m reporting soon this week we’ll see how that goes" I wish you the best on the report, but why are you even mentioning it when the result isn't confirmed? It is irrelevant to mention. Invoking this doesn't add some guaranteed credibility to you, especially when you claim there are 30 other reports waiting. Even the best of the best can be wrong at times. I genuinely wish you the best Ehsan. But I've been in cybersec for many years, and cybersec is full of liars and cert collectors who can't even ssh into a server or scan ports. People know this scene makes serious money. Remember that how you word things and what you say directly shows whether you are living up to the truth or not. People who do this for a living can see right through this. You have a softdev background. Your YouTube is all about AI creations and startups. Many of your X posts are wall posts which turn into hits. Your opsec is weak. You dive into solving P=NP problem (per your LinkedIn) and you were interested in quantum field theory. Respectfully, I have 0 info to believe you have good cyber security skills to the point you can write tweets like that.

You randomly pull up into web3sec with insane hopium claiming to outperform the big players from the get go. Some of your statements don't even make sense. This post is something I'd see on LinkedIn. Nobody on this planet is going to claim they will find some new non-existing revolutionary bugs that others will not. What are you? A fake web2 cyber security CISSP holder? You just entered the space, and you are posting like you have been here for many years. I don't even want to flame you but this smells like BS and you keep making fake hit posts and it's getting a bit annoying. I don't care about your Porsche 911 either LOL. How is this relevant to what I'm saying to you?

Projects just need to enable full scopes. It really is that simple. It has happened in web2 for many years as you know, and still nothing has changed. WHs have a permanent disadvantage in finding bugs versus BHs. Until that is fixed, all projects and companies will continue getting smoked unfortunately.