Also a security professional, pentester, bug bounty hunter, multitude of other irrelevant self-imposed titles owner here.
You’ve demonstrated impact by small amounts of enumeration. If you had any real experience in bug bounty contracts you would know 2 things:
Almost all contracts ask you not to enumerate the entire data set as 2 or 3 records is enough (again, that’s how security controls work) and no one is interested in hearing about rate-limiting on public bounties. Pentesting sure, but that’s not what we’re talking about.
Source, 2 decades in the security industry at large in all kinds of positions.
And a note for future reference. If you think I’m out of line for my snark then don’t give what you can’t take.
Edit: Oh, and as someone on both sides of the fence enumerating an entire data set against scope is in the top ten reasons people get booted from programs. To anyone else seeing this chain: don’t do it. YOU DO NOT NEED TO TO PROVE IMPACT. Respect people’s privacy.
You’ve demonstrated impact by small amounts of enumeration. If you had any real experience in bug bounty contracts you would know 2 things:
Almost all contracts ask you not to enumerate the entire data set as 2 or 3 records is enough (again, that’s how security controls work) and no one is interested in hearing about rate-limiting on public bounties. Pentesting sure, but that’s not what we’re talking about.
Source, 2 decades in the security industry at large in all kinds of positions.
And a note for future reference. If you think I’m out of line for my snark then don’t give what you can’t take.
Edit: Oh, and as someone on both sides of the fence enumerating an entire data set against scope is in the top ten reasons people get booted from programs. To anyone else seeing this chain: don’t do it. YOU DO NOT NEED TO TO PROVE IMPACT. Respect people’s privacy.