What HackerOne has learned from years of AWS bug bounties
In this session, HackerOne cofounder and security expert Jobert Abma reviews high-severity bugs that surfaced in bug bounty programs over the years for AWS applications. These are bugs that may be rewarded with bounties of up to $20,000. Jobert discusses ways to avoid the bugs altogether, reducing the risk of unintended broad access and building trust with the users of the application. The review includes bugs relating to DNS hijacks, SSRF to Amazon EC2 instance metadata, inadvertently disclosed AWS keys, public Amazon S3 buckets, and improper configurations.