Bug bounty programs often resemble battlegrounds, where security researchers (""hackers"") and vulnerability triagers collide over validity, severity, and bounty rewards. Although this friction can strain relationships, it also represents a powerful opportunity for collaboration and community-building. In this session, experienced bug bounty hacker Richard Hyunho Im (@richeeta) and seasoned triage expert Denis Smajlović (@deni) team up to dissect these challenging interactions, share real-world stories from high-stakes bounty scenarios, and propose practical solutions for improved hacker-triager relationships. Drawing directly from their experiences on both the researcher and company sides, Richard and Denis cover common scenarios including severity debates (e.g., Gmail aliasing vulnerabilities), unclear bug submissions, controversial gray-area issues (such as Apple's BAC vulnerability rejection), and respectful escalation of bounty disputes (e.g., CVE-2025-24198). Attendees will gain insights into how effective communication, clear business impact framing, and mutual respect can bridge the divide between researchers and triagers. Beyond monetary rewards, this presentation emphasizes how researchers can strategically leverage bug bounty work to enhance personal branding, build professional networks, and advance career opportunities. With empathy, humor, and candor, Richard and Denis demonstrate that the ""bounty battleground"" doesn't need to be hostile; it can instead become a place for growth, trust, and professional success. Key takeaways include actionable strategies for clearer reporting, effectively communicating severity, navigating gray-area cases, and respectfully challenging triage decisions. Ultimately, this talk equips attendees with tools and mindsets to positively shape the bug bounty ecosystem and foster genuine collaboration within the community.

DEF CON 34 - DEF CON Policy Announcement - Katie Noble, Heather West
5.4K views

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon
11.1K views

DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
8.5K views

DEF CON 33 - Can't Stop the ROP: Automating Universal ASLR Bypasses - Bramwell Brizendine
3.6K views

DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
5.4K views

DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
6.4K views