Art Of Auditing
  • ๐Ÿ‘‹Preface
  • ๐Ÿง™Sages
    • @lonelysloth_sec
    • @bobface16
    • @zigtur
    • @J4X_Security
    • @0xEV_om
    • @cergyk
    • @akshaysrivastv
    • @kankodu
    • @gjaldon
    • @riproprip
    • @pkqs90
    • @DadeKuma
    • @EgisSec
    • @BowTiedDravee
    • @Draiakoo
    • @windhustler
    • @santipu_
    • @winnie
    • @Guhu95
    • @_blockian
    • @neumoXX
    • @Alex the Entreprenerd
    • @bahurum
    • @__nnez
    • @0xadrii
    • @deliriusz_eth
    • @el_hajin
    • @rootedrescue
    • @merkle_bonsai
    • @n4nika_
    • @Trungore
    • @m4rio_eth
    • @iamdirky
    • @Czar102
    • @csanuragjain
    • @0xFrankCastle
    • @Al_Qa_qa
    • @Haxatron1
    • @0xMinhT
    • @0xT1MOH
    • @Said
    • @0xSorryNotSorry
    • @NonseOdion
    • @0xArzzz
    • @abarbatei
    • @tpiliposian
    • @0xjuaan
    • @MrPotatoMagic
    • @krikoeth
    • @zzykxx
    • @bauchibred
    • @00xSEV
    • @0xCiphky
    • @peak_bolt
    • @pks_
    • @Stalin_eth
    • @0xb0g0
  • ๐ŸงฑTHE WALL
    • ๐Ÿ“–WALL OF WISDOM
Powered by GitBook
  1. Sages

@bobface16

Previous@lonelysloth_secNext@zigtur

Last updated 4 months ago

Words of Wisdom

๐Ÿง™
@bobface16
Page cover image
Cover

"Audited codebases"

Regarding bug bounties, almost all codebases have been previously audited, often by leading security firms.

Donโ€™t let that fool you into thinking they are bug-free. Some of my biggest bounties have been in projects that have been audited extensively and yet still were vulnerable.

Approach each codebase as if it came fresh from the developers.

Cover

"Be prepared to negotiate"

Identifying a bug, writing up a PoC, and reporting it is only the first half.

The second half commonly involves quite a bit of discussion and negotiation.

Learn how to express complex technical situations, how to present a well-founded case, and how to professionally negotiate.

Cover

"When to stop searching"

At which point do you stop searching a codebase for bugs?

Try to understand the system to the point where you could reimplement it from scratch without looking at the original codebase. Not from remembering the code, but from having understood what the application is supposed to do.

If you have examined a project that far and have not found a bug, the chances of finding one by continuing is low. On the other hand, if there was a bug in there, you would have most likely found it.

Cover

"How to improve your skills"

Theoretical knowledge is important, but nothing trumps practical experience.

Develop your own projects and observe areas of security concern, participate in CTFs, and build PoCs for past exploits.