Episode 21: Chill Chat with Legendary DoD Hacker Corben Leo

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.Follow us on twitter at: @ctbbpodcastGet on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribeWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/hacker_Article on the State of DNS Rebinding in 2023:https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/See @ArchAngelDDay's twitter thread about 100 bug bounty rules:https://twitter.com/ArchAngelDDay/status/1661924038875435008Talkback - Cybersecurity news aggregator:https://talkback.sh/PyPI announces mandatory 2FA:https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/Timestamps:(00:00:00) Introduction(01:05) State of DNS rebinding in 2023(04:40) 100 Bug Bounty Rules by @ArchAngelDDay(05:30) Give yourself a ‘no bug’ limit(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs(11:15) Reporting Out of Scope Bugs(14:30) Reporting IDORs as Access Control Bugs(17:28) Talkback(18:12) PyPI's mandatory 2FA implementation for software publishers(Start of main content)(20:07) Starting out in bug bounty/ethical hacking(25:00) Hacking methodology and mentorship(28:15) Identifying Load Balancers(33:20) Triage and live events:(38:30) College and Computer Science vs. Cybersecurity(45:45) Importance of writing for the Hacker Community(51:21) Storytelling and report writing.(55:00) When to stop doing recon and start hacking(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.