October 6, 2023 at 10:49AM

● Thought of sharing: There are high changes that I will reject a candidate in an interview, if they are a bug-bounty hunter.

Following are some reasons for most and not all the hunters.

1. They are technically not sound. They only have limited information about the bug they identified or they usually identify like web based attacks or sometimes mobile apps.

2. They are mostly check-lists and tool reliant people.

3. They know very few bugs and start spraying on multiple targets. They are nuclei attackers (maybe this is a right term to have them associated).

4. They omit hard bugs almost always. They go for easy rewarding bugs. And not for zero-days or tricky RCEs.

5. Most hunters cannot perform a pentest. Since they’re good (not in depth though) in specific bug or set of bugs.

6. Most of them are not researchers (as they are often called). They do not have patents, CVEs or published researches.

On the other hand, some top CTF players are excellent. And those who perform research are good for the job.

In an interview, I ask candidate what vulnerability class or type they are comfortable. They choose the easiest like IDOR or XSS or even SQLi. And are almost always web based attacks.

And then I ask them to tell me what mutation or universal XSS is. They be; we know reflected and stored and a bit about DOM (since they automate DOM).

For SQLi, 90% rely upon SQL-Map. The remaining use single quote combos

If this skillset is at my gate. I’ll choose to outsource through hacker-one; since they have bounty hunters.

I would need something more professional in the organisation to find issues. Because our goal is not to protect against nuclei templates but APT groups’ that are nation-state.