| 00:00 - 00:05 | Soo.. we started the LHE... bring it on! |
| 00:05 - 00:07 | Common lazy hackers... |
| 00:07 - 00:10 | And submission started coming in |
| 00:11 - 00:16 | we were expecting cool RCE-chains... |
| 00:17 - 00:21 | But you know what we got? XSS! |
| 00:21 - 00:24 | XSS! |
| 00:29 - 00:31 | Everything was broken. |
| 00:31 - 00:34 | And HTML-injections... |
| 00:38 - 00:40 | H T M L |
| 00:41 - 00:47 | Everyone reported the same bugs |
| 00:47 - 00:50 | Can you imagine the amount of dupes? |
| 00:50 - 00:56 | Splitting bounties 15 ways! |
| 00:58 - 00:59 | 3 euro bounties! |
| 00:59 - 01:01 | Almost broke the platform! |
| 01:04 - 01:06 | Broke the leaderboard |
| 01:06 - 01:08 | Javascript rounding errors.. |
| 01:13 - 01:14 | DUPES |
| 01:14 - 01:16 | You cant meme this shit! |
| 01:16 - 01:20 | Then we started giving the bad news! |
| 01:21 - 01:27 | Started with putting XSS out of scope! |
| 01:35 - 01:36 | OUT OF SCOPE |
| 01:36 - 01:39 | And that was just the start |
| 01:41 - 01:44 | But we kept it very professional |
| 01:44 - 01:47 | triaging and splitting bounties |
| 01:47 - 01:49 | like there was no tomorrow |
| 01:50 - 01:53 | Then we came up with a brilliant idea |
| 01:54 - 01:56 | What if... |
| 01:56 - 01:58 | ..we put IDOR... |
| 01:58 - 02:02 | OUT OF SCOPE? Just like that? |
| 02:05 - 02:07 | Imagine their faces! |
| 02:10 - 02:11 | No CSRF.. |
| 02:11 - 02:13 | No XSS.. |
| 02:15 - 02:17 | No IDOR... |
| 02:17 - 02:20 | Then we pulled out the big guns! |
| 02:21 - 02:28 | We canceled the tivoli visit with cool rides... |
| 02:29 - 02:30 | What happened? |
| 02:30 - 02:32 | You cant guess! |
| 02:36 - 02:39 | We replaced it with a city walk |
| 02:40 - 02:42 | ...in november... |
| 02:50 - 02:55 | Do you know how cold it is? |
| 02:56 - 02:58 | Very cold? |
| 02:58 - 03:04 | We gave them plenty to drink so it was alright |
| 03:04 - 03:09 | But the alcohol froze in their glasses |
| 03:09 - 03:11 | poor hackers |
| 03:16 - 03:20 | Never seen so many dupes! |
| 03:23 - 03:26 | Earning more money on a HTML-injection |
| 03:31 - 03:36 | ..than on a duped account-takeover |
