allrice

Perfect security is unattainable for us mere mortals. I preach risk reduction. For most people: You don't have to run faster than the bear. You just have to run a bit faster than everyone else.

The most bang for my buck:

• Eliminate shared passwords. Do this now. Not because you will get compromised, but because one of the sites you use is already compromised. If this sounds like too much work, use a password manager like 1Password, LastPass, Dashlane.
• Enable multifactor for ALL THE THINGS. Bonus points if it isn't based on SMS (your carrier is often a weakest link).
• Use endpoint devices with minimal attack surface, automatic updates, and transparent security teams. Alex Stamos puts it eloquently: My std advice to any company that can't afford a 50+ sec team is "Buy Chromebooks, use GApps". Fewer excuses. If my Chromebook gets compromised, I can at least have a good laugh knowing that someone lit $100,000 on fire in the process.

All technology is vulnerable and password managers are no exception. There's risk in their use.

But that doesn't block the mandate for unique passwords. Use a password manager if you can't be bothered with alternative approaches.

Shameless plug: check out https://hackerone.com/hacktivity for what other hackers think is most awesome.

The good folks who created Burp have done a tremendous service to the internet and they deserve our support. If you've claimed a bounty based on their work, throw them a bone!

Our default process for sending invitations to private programs utilizes a transparent invitation process that takes reputation, signal, and impact as inputs. The vast majority of HackerOne programs leverage this system.

Advanced programs can also configure our invitation system with additional constraints as well, such as skillsets (mobile, native code, crypto, etc), geographic location, NDAs, or background checks. Control freaks can also disable our invitation process entirely and manually issue invites leveraging their own custom vetting processes.

These flexible invitation processes are all designed to match companies of diverse requirements with the hackers best suited to help them.

But let's be real. Criminals aren't sitting around waiting for a HackerOne invitation before hacking you. Anyone who launches program sees immediate overall risk reduction as your new security team immediately outnumbers the bad guys.