Ashish Dhone
Offensive Security Lead
TFG (The Foschini Group)
Offensive Security Lead | Global Top Hacker Ranking | Best Bug Hunter @Microsoft MVR 23-24-2025 | @Apple ’22 | @Google ’21 | HOF 300+ Top Fortune Companies | CRTP | LPT | CPENT | eWPTXv2 | CHFI | CEH | CVEs x5 | CTF Player | Public Speaker
Speaker sessions
The Bug Bounty Report They Never Agreed On: Hunter vs Triager
This session shares a story from two sides: an experienced bug bounty hunter and a vulnerability manager. Bug reports often cause friction, with the hunter focused on the exploit and the manager overwhelmed with reports. To bring this collaborative theory to life, we will perform a live demonstration, enacting a model conversation between a researcher and a triager in real-time.We’ll look into the hunter's mindset and the process of an attack, showing how they use custom AI to find subtle bugs. We will demonstrate how small, seemingly small vulnerabilities can be escalated to impactful bugs, proving that the real skill is in chaining exploits together.Next, we'll switch to the vulnerability manager’s point of view to show the challenges they face. This includes handling too many reports, filtering out low-quality submissions, and deciding the true business risk of a bug a researcher calls "CRITICAL!". We'll provide a guide to finding the important reports, explaining why a CVSS score alone isn't enough and how to turn bug bounty submissions into useful security information for the whole team.Finally, we show how bug bounty hunters and vulnerability managers are not adversaries but allies in the fight for better security. We’ll show how a cooperative process can turn difficult reports into quick fixes and big security wins, providing practical tips to move away from a win-lose situation and build a strong, trusting relationship.
- 13:00
- Wed
- 03 Dec
Stage:
Briefings 1
Sessions Type:
Presentation