
Taking over Heroku accounts - aburan28
http://esevece.github.io/2016/06/01/taking-over-heroku-accounts.html
======
whamlastxmas
What is someone's motivation for finding stuff like this? I assume they just
have some sort of innate satisfaction from finding vulnerabilities, sort of
like solving a puzzle?

It seems hard to believe money is the motivating force, since the bug bounties
are pretty low and I'm sure the $/hour is super low unless you're some sort of
penetration tester wizard.

~~~
esevece
In my case, the motivations are money and freedom. I enjoy doing it, but if I
didn't make money I won't do it. My only income is what I make participating
in bug bounty programs.

Context: I live with my parents, I'm not married, I don't have kids, I didn't
go to university, I don't have a CV worth enough to get a job where I would
earn as much money as from bounties (unless in my country), and I work in
personal projects which wouldn't allow me to commit 8 hours a day working for
a single company.

~~~
whamlastxmas
If it's not too personal, how much do you make in a month and year? How much
does that vary? How good would you rate yourself at doing this? Do you work a
lot with a small group of companies or do you do it for tons? How long does it
take on average per bug?

~~~
esevece
Not fixed income and in this year I haven't even got close to 10,000. How much
it vary depends on how much time I spend and how much the companies consider
to pay me at the time of giving the reward for a bug (if I find one, of
course). I'm not good at rating, but I'm sure I'm not good at doing this.
Usually I look for bugs in companies that I like their products/services
and/or their security team, and usually I choose the ones I think it would be
fun to find bugs. I'm not able to answer the last one because I don't time how
long does it take to find a bug, but I can say that it takes time (it takes
more time when you are tired :D).

~~~
whamlastxmas
Ah okay, I got the impression you were getting a full-time livable income from
doing this, which seemed like it would be really hard to do even for someone
who was really good at it.

------
CameronBanga
Nice, simple explanation of an attack. Walks you through every step along the
way. A+.

~~~
esevece
I'm glad you liked it! I wasn't sure that it was well explained.

