1. This is really hard to enumerate. I basically am always doing recon and don't do it 1 target at a time either. I'd been looking at Sei's V2 upgrade code on and off for months, and made my report when they merged the v2 branch to master (this action put the code in-scope for a bounty). I'd found a handful of other critical bugs on the way but they were fixed eventually either in the course of normal development or audits. I definitely spent upwards of 40 very focused hrs in total investigating this codebase along with its dependencies Cosmos/Tendermint. Probably much more time less focused. Cosmos&TM are quite big. But those dependencies are used in many other projects too, so it can't be purely accounted towards time on Sei.
2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.
2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.
Did you have to specify that it was a critical bug or haggle with them? On the immunefi site, their max bounty is set at $1M but you clearly got 2x that.
dustfinger|1 year ago
2. How extensive is your background in networking, blockchain programming and pen testing?
3. How many other bounties did you commit recon time to before the two successful disclosures?
usmannk|1 year ago
2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.
3. Idk, a lot! Upwards of 20 for sure.
kubb|1 year ago
ayewo|1 year ago
2. From your other comments elsewhere in this thread, it sounds like you are a full-time bounty hunter, correct?
usmannk|1 year ago
2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.
teschmitt|1 year ago
y-curious|1 year ago
danielvf|1 year ago
There's an unofficial project that tracks bounty programs, you can see the change here: https://github.com/infosec-us-team/Immunefi-Bug-Bounty-Progr...