A fallen ice cream cone. That’s really bad.
Photo by Pawel Janiak on Unsplash

What’s the worst that can happen?

I get this question from time to time when reporting a vulnerability. To be honest, the first couple times when asked this question, my mind would go to a very dark place with some absurdity. I can remember replying to one person “You could lose your job, wife, and custody of your kids and we all die in a nuclear holocaust”. Since, I’ve grown up a little bit, though I still need to understand cause and effect and think a couple moves ahead, without all the doom and gloom.

No, no. I’m not thinking of the typical bug bounty reporter BS “This self XSS is a privesc RCE — pay me” type of reporting. When I look for vulnerabilities in a application or system it is to a particular slant — “What are the worst things that could happen to this company and does this software expose those threats?” Or if it’s a piece of software or service that promises X,Y,Z; I aim to bypass those assertions. This kind of thinking can shape how you approach software testing. Not all bugs are created equal. Some people laugh off DoS bugs. To others, 24/7 uptime is a core component of their business model, disrupt that and there is no — business.

So, do yourself a favor. Frame your tests in a manner that aims to discover the worst impact to a business. While popping shells are exciting and getting domain admin proves a point, what could you do without RCE and DA? Find those vulnerabilities and earn your pay.

Eagle Scout. Hacker. Marine. Which means I can weave baskets out of cat cables while keeping my office clean.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Vesper Pool Updates: Zero-fee Transfers, New Earn Pool Logic, and Wrapper Support

The Pharming Menace and How to Secure Your Devices

Anyone Can Understand Cybersecurity and Keep Their Devices Safe

MetaPrimo AMBASSADOR PROGRAM OPEN NOW

SLAE #7 Custom Crypter

Bridge Identity Platform 3.0 Released

Lancashire police are trying to hack into UKCP website — evidence provided

Lancashire police are trying to hack into UKCP website - evidence provided

{UPDATE} Cooking Chef - Burger Store & Restaurant Mania Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josh Pitts

Josh Pitts

Eagle Scout. Hacker. Marine. Which means I can weave baskets out of cat cables while keeping my office clean.

More from Medium

Inside the Accelerator: Paqt

MY FIRST VULNERABILITY; The One that got away

Penetration Testing, What is it?

OvertheWire Bandit Walkthrough Level 0–11