zlacker

[parent] [thread] 3 comments
1. digita+(OP)[view] [source] 2024-01-03 23:48:35
>What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?

I'd warrant nearly all of them, though it may take a while.

If you have ever submitted or worked with a bug bounty program you will run into dozens of duplicates.

I've personally performed and overseen assessments in which the company had already done a complete blackbox pentest and wanted a second whitebox review to make sure the first company knew their stuff and validate they found the same bugs. Also did a few of the honeypot assessments in which companies put purposely vulnerable code in to make sure 'we are doing our job', I hate those most.

Depending on the testers speciality of course, the reports often found the same or similar issues.

Source: 15 years as a pentester, offensive security engineer, and now security architect.

replies(1): >>random+w6
2. random+w6[view] [source] 2024-01-04 00:48:07
>>digita+(OP)
> I'd warrant nearly all of them, though it may take a while.

Why guess when the other commenter has the actual data...?

replies(1): >>lazyas+oV
◧◩
3. lazyas+oV[view] [source] [discussion] 2024-01-04 09:23:45
>>random+w6
What commenter had data?
replies(1): >>random+bB1
◧◩◪
4. random+bB1[view] [source] [discussion] 2024-01-04 14:39:43
>>lazyas+oV
The one we were originally talking to before others started randomly interjecting with gobbledygook.

His eventual response was 0, by the way.

[go to top]