←back to thread

XBOW, an autonomous penetration tester, has reached the top spot on HackerOne

(xbow.com)
284 points summarity | 1 comments | 24 Jun 25 15:53 UTC | HN request time: 0.224s | source
Show context
mkagenius ◴[24 Jun 25 18:19 UTC] No.44369114[source]
> XBOW submitted nearly 1,060 vulnerabilities.

Yikes, explains why my manually submitted single vulnerability is taking weeks to triage.

replies(2): >>44369323 #>>44374572 #
tptacek ◴[24 Jun 25 18:37 UTC] No.44369323[source]
The XBOW people are not randos.
replies(1): >>44369375 #
lcnPylGDnU4H9OF ◴[24 Jun 25 18:40 UTC] No.44369375[source]
That's not their point, I think. They're just saying that those nearly 1060 vulnerabilities are being processed so theirs is being ignored (hence "triage").
replies(1): >>44369411 #
tptacek ◴[24 Jun 25 18:43 UTC] No.44369411[source]
If that's all they're saying then there isn't much to do with the sentiment; if you're legit-finding #1061 after legit-findings #1-#1060, that's just life in the NFL. I took instead the meaning that the findings ahead of them were less than legit.
replies(3): >>44369640 #>>44369966 #>>44370374 #
croes ◴[24 Jun 25 18:58 UTC] No.44369640[source]
Whether it is legit-finding is precisely what needs to be checked, but you’re at spot 1061.

>130 resolved

>303 were classified as Triaged

>33 reports marked as new

>125 remain pending

>208 were marked as duplicates

>209 as informative

>36 not applicable

20% bind a lot of resources if you have a high input on submissions and the numbers will rise

replies(1): >>44369723 #
tptacek ◴[24 Jun 25 19:03 UTC] No.44369723[source]
I think some context I probably don't share with the rest of this thread is that the average quality of a Hacker One submission is incredibly low. Like however bad you think the median bounty submission is, it's worse; think "people threatening to take you to court for not paying them for their report that they can 'XSS' you with the Chrome developer console".
replies(3): >>44370182 #>>44370892 #>>44371926 #
1. peanut-walrus ◴[24 Jun 25 20:50 UTC] No.44370892[source]
My favorite one I've seen is "open redirect when you change the domain name in the browser address bar". This was submitted twice several years apart by two different people.