XSS is one of the most common, well-understood web vulns. Detectable via free tools & techniques available to novices.

Sure, turning XSS into something more is cool

So is paying hackers #bugbounties

Wondering why journalists still glorify XSS negligence as “responsiveness” tho https://twitter.com/infosechotspot/status/1315773822176563201

Could Apple have found these issues themselves more efficiently (faster & cheaper)?

We must hope so, since the assumption that they can’t figure out how to:

Prevent XSS
Scan for XSS

puts them at the bottom of common security efforts & capabilities

I don’t believe that is true

Anyway, security journalists breathless for the next big cash bug bounty headline, I hope some of you decide to dig deeper than the press releases you’re fed about how great this bug bounty was.
It was more like insurance that paid to disguise major internal security process gaps

XSS is a well understood class of bug, for which there are many free tools & techniques available to detect.
DOING SOMETHING MORE W XSS IS COOL
Failing to prevent/detect it shouldn’t be touted as great each time a well-resourced company pays out bounties

20something Bounty bros:

Muting this thread, blocking many.

Thanks for adding yourselves to my (and several other people observing you here) permanent no hire list.

Better hope to be one of the 9000/830,000 hackers that ever gets paid at all via bug bounties on that platform I put on the map for you.