TommyBoy

But the pendulum will swing again and eventually most people full slopping the programs will get demotivated because they use all their usage to dupe off other hunters.

Regardless of how you spin it, it will always be a net profitable venture to host a BBP. You instantly get access to 1000's of top minds in the space all constantly poking your apps. Without guaranteeing having to pay most of em anything.

The math hasnt changed much it's just the scale due to mass unemployment + 1000s of inexperienced new hunters taking a stab at it because it looks like "free money"

Common theme, everyone's bugs getting accepted / fixed just not paid for 5-6+ months

twitter is harassing me again claiming i show signs of an 'inauthentic account'. i don't understand what the issue is, i literally just come on here, say random things and don't come back for weeks at a time.

behaving in an ethical manner is a two way street

fuck it that was a fun bug ill post the poc video the product is only supposed to allow browser access to external sites. the built in browser was very locked down at a network level. on one random run, i saw the agent fail, and try to invoke curl...

once i saw it try curl i was like well okay thats the angle... however the agent and the platform had other built in checks to block azure metadata access. but i know curl can follow redirects, so i had the agent try to hit a different domain and redirect it.

if i had a penny for every time i heard a researcher get boned by the msrc i would be retired i think

so once network level checks at the browser level were no longer in the way i just had to get the agent to pull from azure metadata. 2 problems. 1 the agent is semi aware of things (oh thats a metadata endpoint) 2 azure requires Metadata: true header

oh hey like my ssrf to hit internal azure metadata that did not meet the bar for a security vulnerability but the security team will fix

basically ssrf in one of the copilot implementations that was only supposed to have access to a browser, and local network access. the hard locks prevented ssrf to local networks via the browser, however they didn't consider that the agent would use curl if asked.

everything i don't want to pay for is social engineering: the movie

I tell everyone to report and forget but then i report and hang on to one report for months with no response from the team increasingly feeding my anxiety spiral