Bug-Bounty

wide-25

Episode 459 - CWE Top 25 List

Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it’s because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_459_CWE_Top_25_List.mp3 Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19

December 16, 2024
andy warhol bug-wide

Episode 353 - Jill Moné-Corallo on GitHub's bug bounty program

Josh and Kurt talk to Jill Moné-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_353_Jill_Mone-Corallo_on_GitHubs_bug_bounty_program.mp3 Show Notes Jill’s Twitter Jill’s Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find

December 12, 2022
primrose-3276534_1920

Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_337_Security_patches_are_getting_worse_Dustin_Childs_from_ZDI_tells_us_why.mp3 Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147

August 22, 2022
chameleon-6159370_1920

Episode 291 - Everyone sucks at vulnerability disclosure

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the whole vulnerability disclosure process. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_291_Everyone_sucks_at_vulnerability_disclosure.mp3 Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem

October 4, 2021