RT @kevin_mizu: Thanks to the recent @PortSwigger top 10, I finally found the motivation to finish writing the 2nd article about DOMPurify…

@brokenpacifist that's a classic to learn in every schools :>

@vulnano Which changes nothing - the triage system is the same on both, and they're overwhelmed in general. And it's been a long time since private invitations are not restricted to people that demonstrated a real added values, also.

This report illustrates a top problem for me, yes. The pressure that is put on both triage and mediation service by such things is causing a massive degradation of service, for everyone, and made triaging a painful experience. As for trying to guilt trip me; I'm spending (and I spent) a lot of my time to be helpful to "newbies", as you say. That doesn't change that I don't think it's a good idea to let them use a platform as a sandbox to learn. As in most fields : first, you're learning everything you need, then only, you're working. I don't see why it should be different for bug bounty, and why people consider it's ok to make people lose their time, and even more why people consider it's granted that its on others to educate them and fix their errors. Not to mention that responding to an issue saying there are other issues don't cancel that issue, whatever. This is a stupid reaction imo.

That's not like I'm advocating on how to defend your bugs all the time, to avoid that. I literally manage communities and talking about that, all the time. Once you get a few programs you're used to work with, that's something that doesn't happen very frequently. Not really a top problem to me. Platforms general issues are, however, a real deal to me.

@DKidolle This is a platform to connect professionals, not a beginner playground. Locking accounts of low quality researchers for a few months + giving them some resources to learn is much better to let them consider the platform as their training resource.

They might - but I don't think the model is currently pushing for that and they'll probably just hit a wall instead, and I don't think either that's a good reason to let them lower the quality for everyone. Once again, this is a platform to connect professionals - and at some point, either you're restricting registrations, or you're applying sanctions to filter low quality stuff asap. Sanctions on repeated low quality stuff sent would both be reflected in the profile (rep loss, signal), and eventually to a temporary ban + giving a handful resources for the learning phase.

@NahamSec Clearly - and I guess doubting is not a bad thing in such a field :>

@midwestneil @CMD_0_0 I guess it's all platforms, and that's a marketing issue. Better present that you have hundred of thousand researchers instead of a few hundred skilled people?

@Masonhck3571 Not surprised, and a shame. Platforms should start fighting against that actively - applying sanctions (both applying the correct status, NA/Spam, instead of Informative + temp locking ppl and redirect them to learning platforms)

@CMD_0_0 If we want the field to grow, that's by not giving the impression everyone can do it. That asks for a deep learning phase that can't be avoided. Maybe it's not a good thing to let them hunt and hit a wall everytime - pretty sure that hurts them more than anything

@CMD_0_0 Of course - but that is not a playground. Temporarily locking the users and redirecting them to learning resources would be ideal - and triage is overwhelmed by the number of low quality reports like that, so this is def an issue.

@CMD_0_0 This is not normal to start bug bounty with 0 knowledge and 0 experience. Maybe we should stop normalize that; this is a professionnal platform, not a playground for beginners

@CMD_0_0 For that - this is a platform issue. They can correlate low quality reports over all the reports they sent; you can't!

@kevin_mizu Well deserved! Congratz!

RT @kevin_mizu: Such a pleasure to be part of the top 10! Thanks a lot to everyone who voted for my article. I hope to bring new and intere…

RT @PortSwiggerRes: The results are in! We're proud to announce the Top ten web hacking techniques of 2024!

@PuneetT41564686 @rez0__ Luck? No, not really. The "luck" you mention is totally provocked ;)

@thezdi @SinSinology @SummoningTeam Congratz @SinSinology, well deserved win! :)