Call To Action For A Computable Bug Bounty Report Era #693
Replies: 5 comments 6 replies
-
|
@toufik-airane this is awesome, we can see the potential in this and possibly solves but is not limited to
|
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Hey, this idea is more about sharing the prepared template to reproduce the particular issue you report reporting that you either found manually or with your template, so the same template can be used to reproduce the issue directly. |
Beta Was this translation helpful? Give feedback.
-
|
that's true, most of the time you are not advised to use unknown or 3rd party tools, so this is just an idea as of now to explore what's the best way to adopt this. |
Beta Was this translation helpful? Give feedback.
-
|
As part of this movement we just announced today that Databricks will be paying a 5% increase on all bounties that are submitted with a Nuclei template. |
Beta Was this translation helpful? Give feedback.
-
|
I think that Nuclei should support threadding also |
Beta Was this translation helpful? Give feedback.
-
|
Nuclei is already multi-threaded. |
Beta Was this translation helpful? Give feedback.
-
Well most companies do follow this rule but for better accuracy in reproducing the issue or discover the issue its necessary to sometimes use third party software |
Beta Was this translation helpful? Give feedback.
-
|
Is there any documentation related to the nuclei source code? |
Beta Was this translation helpful? Give feedback.
-
|
I want to add my own ideas |
Beta Was this translation helpful? Give feedback.
-
|
There's just the standard usage docs, I think. https://docs.nuclei.sh/getting-started/overview If you'd like to start contributing join our Discord at nux.gg/discord and verify your account, then you can join the # contributing channel on our Discord server. This isn't a requirement for being a contributor, but you can meet other people there and find out more about questions you might have. Note that this thread is a VERY old thread and questions like this are usually better suited to their own discussion or issue. |
Beta Was this translation helpful? Give feedback.
-
Dear Nuclei community,
I would like to call to your attention to get Nuclei adopted in the interaction between application security engineers and bug bounty hunters. I would love to see those communities collaborate to further shape the cybersecurity postures of organisations. 💙
Background
Statement 1 - The DevSecOps paradigm is a model where developers, application security engineers and site reliability engineers work in collaboration to develop, secure and scale applications. Among that, bug bounty hunters bring cognitive power to find and report security bugs and misconfigurations. DevSecOps brings automation at the state of the art when teams can talk the same programming or declarative configuration languages such as Terraform.
Statement 2 - A proof of vulnerability (or a proof of concept) is a language natural story that describes the manual step by step process to successfully exploit a vulnerability.
Statement 3 - An organisation who is running a bug bounty program sits on a private goldmine of security reports.
In sum, these reports become an informational legacy for cybersecurity responses and postures.
Problem
Problem 1 - Triage teams and application security teams have to reproduce the proof of vulnerability steps to validate security reports: it's a time and energy-consuming process.
Problem 2 - After resolved, security reports become sleeping data, unexploited anymore, just a space for oblivion.
Call To Action
So today I would like to encourage my fellow
The Nuclei engine empowers us to talk the same language and transform a sleeping giant into a computable cybersecurity model.
If you are with me, react with 🚀.☺️
I hope to read your feedback and comments.
Beta Was this translation helpful? Give feedback.
All reactions