Hacking on Bug Bounties for Four Years

Intro & Motivations Findings Analysis Collaboration Methodology I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active…


I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active bug bounty hunter who has a good understanding of what a bounty program expects, or will pay out for, you have a major disadvantage compared to someone who does have this knowledge. I hope through this blog post, I can demystify the sort of issues bug bounty programs pay for.

The last blog post I did in this series was around four years ago, 120 days, 120 bugs. In the last four years, a lot has happened. I moved to Europe for six months, I moved interstate in Australia twice, I won a live hacking event, I co-founded a company and helped build an attack surface management platform with a team of people I consider family.

Unlike my previous blog post, I did not set myself a goal to find a bug a day. Instead, I participated in bug bounties whenever time allowed. There were many months where I found nothing at all, which often terrified me when it came to evaluating my self worth as a hacker. I also admitted to myself, that I might be a good hacker, but there is always going to be a better hacker out there, and I’ve made my peace with that as a hyper-competitve person.

If you don’t have an excellent understanding of fundamental application security attacks and weaknesses before you approach bug bounties, in my opinion, you are wasting your time. Practice and learn more here.

If you’re looking for a paid, more extensive resource, check out and practice with PentesterLab.

Participating so heavily in bug bounties has given us the knowledge at Assetnote about what security teams actually care about. It’s the reason we can maintain high signal when we are continuously finding exposures.

My primary motivation for this blog post is to educate the masses on what bug bounty programs are paying out for.

For example, would you know that you could submit a dangling EC2 IP (subdomain pointing to an EC2 IP that is no longer owned by the company) as a bug report without reading the proof in the pudding below? I’ve been paid for this by programs, so clearly they value this sort of information.


Below are all of my findings for the last four years. I’ve redacted information where necessary, but by reading the titles, it should give you a good understanding of what I was reporting to programs.

DateBugPayout
2020-09-02 14:04:11 UTC[redacted] Hosted Zone Takeover$1,000.00
2020-07-16 18:39:22 UTCSpring debugging endpoints exposed leading to disclosure of all secrets via heapdump on [redacted] & Account takeover by Trace$2,500.00
2020-06-30 22:54:07 UTCBlind SSRF on [redacted] through invoicing API – access to internal hosts$60.00
2020-06-10 13:53:43 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-10 13:24:10 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-10 13:21:57 UTCFull Account takeover through subdomain takeover via [redacted]$300.00
2020-06-08 14:28:05 UTCAmazon S3 Subdomain Hijack – [redacted]$256.00
2020-06-08 05:29:58 UTCRoute53 Hosted Zone Takeover of [redacted]$500.00
2020-06-05 16:27:42 UTCAdmin panel for Cisco IP Conference Station CP-7937G exposed on the internet on [redacted] IP ranges$400.00
2020-06-03 21:07:51 UTCPre-auth Blind MSSQL Injection affecting [redacted]$1,024.00
2020-06-03 14:18:24 UTCPre-auth MSSQL Injection affecting [redacted]$1,024.00
2020-06-02 15:28:50 UTCPre-auth SQL Injection affecting [redacted]$1,024.00
2020-06-02 15:26:58 UTCRCE via arbitrary file write and path traversal [redacted]$1,024.00
2020-06-02 15:25:08 UTCRCE via arbitrary file write and path traversal [redacted]$1,024.00
2020-05-18 10:12:38 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:11:58 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:06:22 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-18 10:05:20 UTCRoute53 Hosted Zone Takeover of [redacted]$1,000.00
2020-05-11 18:47:54 UTCRoute53 Hosted Zone Takeover of [redacted]$100.00
2020-05-11 14:59:23 UTCAccount takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover)$2,500.00
2020-05-11 14:31:18 UTCAccount takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover)$2,500.00
2020-05-07 01:47:49 UTCView all metadata for any [redacted] IDOR [redacted]$1,000.00
2020-04-29 22:58:57 UTCIDOR view all [redacted]$4,000.00
2020-04-29 22:57:55 UTCIDOR view the [redacted]$2,500.00
2020-04-24 18:19:23 UTCSubdomain takeover of [redacted] through Heroku$300.00
2020-04-24 18:18:45 UTCSubdomain takeover of [redacted] through Heroku$300.00
2020-04-23 19:45:04 UTCAbility to horizontal bruteforce [redacted] accounts by abusing [redacted] sign up flow$500.00
2020-04-22 17:44:29 UTCView all metadata for any [redacted] IDOR [redacted]$500.00
2020-04-22 17:42:51 UTCIDOR view the [redacted] for any [redacted] for today [redacted]$500.00
2020-04-22 17:42:06 UTCIDOR view all [redacted] for a [redacted] [redacted]$500.00
2020-04-06 19:13:19 UTCFacebook – Payout For [redacted]$5,000.00
2020-03-07 15:12:24 UTCAccessing Querybuilder on [redacted] to gain access to secrets$3,000.00
2020-02-25 15:02:20 UTCSubdomain takeover of [redacted] via Amazon S3$750.00
2020-02-20 23:01:58 UTCHTML injection, DOS of email receipts and potentially template injection within [redacted] via “Expense Info” section$500.00
2020-02-18 14:45:40 UTCAdmin account bruteforce via [redacted]/libs/granite/core/content/login.html$500.00
2020-02-15 12:24:57 UTCBlind XSS via registering on [redacted]$500.00
2020-02-04 03:45:38 UTCHTML Injection in email when contributing to a [redacted]$700.00
2020-01-21 17:13:58 UTCAbility to attach malicious attachments (of any name and of any content type) to [redacted] support staff via [redacted]$2,000.00
2020-01-15 11:41:59 UTCNo authentication required to view and delete Terraform locks at [redacted]$250.00
2019-12-12 16:25:11 UTC[redacted] Webhook URL + object leaked in JavaScript on [redacted]$3,000.00
2019-11-21 22:15:20 UTCAWS & Screenhero JWT Credentials from [redacted] not rotated, still working$1,000.00
2019-10-17 13:44:23 UTCRCE on [redacted] via IBM Aspera exploit leading to compromise of secure file storage$1,000.00
2019-10-15 14:29:25 UTCSSO bypass on [redacted] leading to access of internal documents and portals$250.00
2019-10-11 18:07:51 UTCAdmin access to [redacted] via guessing credentials$1,500.00
2019-10-11 18:06:15 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$250.00
2019-09-30 16:56:50 UTCMultiple server-side issues affecting [redacted] (SSRF, admin panels)$2,660.00
2019-09-25 22:10:00 UTCRead any [redacted] details using UUID – IDOR in [redacted]$1,000.00
2019-09-10 16:17:59 UTCSSRF in [redacted]$2,000.00
2019-09-03 15:28:36 UTCSSRF in [redacted]$17,900.00
2019-08-29 00:43:00 UTCBypassing email whitelists for organisation signup flows on [redacted]$250.00
2019-08-09 05:15:44 UTC[Pre-Submission] SSRF in [redacted] (Iframely)$2,970.30
2019-07-29 16:32:59 UTC[Bypass] SSRF via [redacted] leads to internal network access, ability to read internal JSON responses$23,000.00
2019-07-24 02:52:42 UTCPHPInfo exposed at [redacted]$100.00
2019-07-24 02:46:02 UTCSSRF on [redacted] leading to AWS breach via security credentials$5,000.00
2019-07-08 14:44:23 UTCRemote command execution on production [redacted] (via tsi parameter) – CVE-2017-12611$2,000.00
2019-06-12 17:42:53 UTCUsername/Password for Aspera and other secrets leaked in [redacted]$1,500.00
2019-06-12 17:42:08 UTCSSO/Authorization bypass for APIs hosted on [redacted]$1,500.00
2019-06-12 14:45:09 UTCRemote Code Execution (many endpoints) – [redacted]$4,500.00
2019-06-10 17:29:35 UTCExtract email, dob, full address, federal tax ID and other PII for all leads in [redacted]$1,800.00
2019-06-10 16:53:22 UTCObtain email, mobile of customers of [redacted] by iterating through Lead IDs via the API$12,600.00
2019-06-10 16:52:40 UTCAbility to pull out all opportunities (IDOR) extract PII for customers of [redacted]$12,600.00
2019-06-07 18:51:24 UTC[redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?)$2,500.00
2019-06-07 18:17:31 UTCBlind SSRF on [redacted] through RPC call to checkAvailableLivechatAgents$62.50
2019-06-07 18:07:22 UTCHTML injection in emails when adding a reviewer to [redacted]$125.00
2019-06-07 17:42:09 UTC[IDOR] Impersonating an [redacted] employee via /api/readHandler on [redacted]$1,500.00
2019-06-07 15:33:31 UTCExtract mobile number and [redacted] using only an email address, for any [redacted]$750.00
2019-06-07 14:36:01 UTCZendesk Ticket IDOR / Ability to enumerate IDs via [redacted]$125.00
2019-06-07 14:24:15 UTCExtract mobile number and [redacted] using only an email address, for any [redacted] user$750.00
2019-06-07 14:11:20 UTCHTML Injection in [redacted] receipts if printed from [redacted]$100.00
2019-06-07 13:56:46 UTCAbility to access the airwatch admin panels and APIs in [redacted]$1,000.00
2019-06-07 13:21:31 UTCIDOR on [redacted] allows you to access [redacted] information for any [redacted] user$250.00
2019-06-07 10:13:20 UTC[redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?)$15,000.00
2019-05-22 19:33:27 UTCSQLi and Authentication Bypass in [redacted]$4,500.00
2019-04-29 14:14:42 UTCReflected XSS in [redacted]$500.00
2019-04-29 14:14:29 UTCSSRF in [redacted]$1,500.00
2019-04-25 07:33:22 UTCLocal file disclosure through Rails CVE-2019-5418 in [redacted]$100.00
2019-04-19 02:28:54 UTCSSRF – [redacted]$4,950.00
2019-04-19 02:28:35 UTCSSRF at [redacted] via the ‘url’ parameter$4,950.00
2019-03-29 11:23:14 UTCAWS S3 secrets leaked in [redacted] meeting connector giving attackers write access to [redacted]$364.50
2019-03-27 18:41:51 UTCSubdomain takeover of [redacted] through Heroku$750.00
2019-03-20 17:08:11 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:29:00 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:28:49 UTCReflected XSS in [redacted]$500.00
2019-03-18 17:28:35 UTCCVS Repos being leaked on [redacted], including username and password$750.00
2019-03-18 15:35:10 UTCForm on [redacted] leaks username and password for [redacted]/Wowza Steaming Server$500.00
2019-03-15 15:08:35 UTCExtract BCrypt pinCode, associated phone numbers and emails for any [redacted]$5,000.00
2019-03-14 17:51:32 UTCMultiple IDORs on [redacted]$500.00
2019-03-14 17:51:18 UTCMultiple persistent XSS vulnerabilities in [redacted]$1,000.00
2019-03-14 17:51:02 UTCAuth bypass on [redacted] & [redacted] allowing for full access to anonymous users (including private streams)$1,000.00
2019-03-14 17:50:45 UTCSlack Webhook Tokens leaked within JavaScript on [redacted]$500.00
2019-03-11 23:06:12 UTCAbility to send arbitrary Subject + HTML emails as verified [redacted]$900.00
2019-03-04 21:58:43 UTCWP-Engine Subdomain Takeover of [redacted]$500.00
2019-03-04 19:04:59 UTCExtract BCrypt pinCode, associated phone numbers and emails for any [redacted]$500.00
2019-02-22 18:41:36 UTC[redacted]$8,000.00
2019-02-13 17:59:01 UTCAbility to close down any [redacted] using an IDOR in [redacted]$8,000.00
2019-02-07 00:05:37 UTCHTML injection in the [redacted] signup flow on [redacted]$500.00
2019-01-30 16:59:57 UTCVHost header hopping on [redacted] allowing us to access MSSQL DB explorer$1,900.00
2019-01-30 16:14:57 UTCRCE on [redacted] via ObjectStateFormatter deserialization$4,000.00
2019-01-30 16:13:00 UTCZIP file in webroot containing all source code and database of [redacted]$3,000.00
2019-01-29 21:52:20 UTCMultiple reflected XSS on [redacted]$500.00
2019-01-29 17:54:05 UTCSensitive data exposure in debug file via [redacted]$100.00
2019-01-23 16:09:32 UTCGit repo’s disclosed on multiple [redacted] and [redacted] subdomains$600.00
2019-01-22 23:02:09 UTCCritical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions$4,500.00
2019-01-07 21:02:45 UTCSSRF via [redacted] leads to internal network access, ability to read internal JSON responses$23,000.00
2018-12-06 15:58:56 UTCReflected XSS in [redacted]/pay/alipay/wap.php$400.00
2018-12-06 15:37:27 UTCReflected XSS in the JavaScript context on [redacted] via `http_referer` parameter$400.00
2018-11-30 15:35:15 UTCDjango debug mode being enabled leads to Postgres password leaked on [redacted]$500.00
2018-11-30 15:20:07 UTCAbility to upload SWF files on [redacted] via CKFinder$400.00
2018-11-30 15:08:41 UTC[redacted] discloses sensitive information leading to customer data access via APIs$800.00
2018-11-30 13:46:33 UTC[redacted] Newsroom CMS (China) source code leaked on GitHub, with a WeChat secret – Leads to RCE on contractors machine$200.00
2018-11-29 17:41:02 UTCBypassing email whitelists for organisation signup flows on [redacted]$500.00
2018-11-29 15:29:00 UTCBlind MSSQL Injection in [redacted]$2,000.00
2018-11-28 15:02:39 UTCAlipay Merchant RSA Private Key disclosed on [redacted]$200.00
2018-11-21 16:58:25 UTCRecursively obtain [redacted] UUIDs by exploiting [redacted]$1,000.00
2018-11-20 22:19:04 UTCAPI under [redacted] allows unauthenticated users to send messages to [redacted] Slack$100.00
2018-11-15 10:13:13 UTCExternally available MSSQL server for [redacted] reveals a large amount of data + local file read$400.00
2018-11-02 20:18:53 UTCAbility to adjust your own [redacted] order price [redacted]$1,500.00
2018-10-24 14:40:13 UTCArbitrary File Upload Leading to Persistent XSS on [redacted]$400.00
2018-10-24 10:36:13 UTCExtract the details of every [redacted] User (name, openid, unionid, mobile, nickname, province, city, gender, bday) via [redacted]$400.00
2018-10-22 14:26:23 UTCCritical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions$500.00
2018-10-12 18:56:47 UTCUnauthenticated XXE on [redacted]/OA_HTML/lcmServiceController.jsp$166.67
2018-10-06 18:26:10 UTCPhantomJS SSRF with ability to read full response via [redacted] AWS$500.00
2018-09-30 00:29:08 UTCMultiple issues with [redacted] (SSO bypass, Git repo with employee credentials, and broken application logic)$2,000.00
2018-09-03 09:55:32 UTCMultiple instances of error based MSSQL injection on `[redacted]` with access to 30 databases$5,000.00
2018-09-03 09:15:04 UTCRCE through arbitrary file upload via [redacted]/cms/Handler/kvimgupload.ashx$3,000.00
2018-09-03 09:13:37 UTCRCE through arbitrary file upload via [redacted]/staff/cms/Handler/toolsupload.ashx$3,000.00
2018-09-03 09:03:06 UTCMSSQL injection via [redacted]/incentive/report.aspx$2,000.00
2018-08-30 17:52:47 UTCDirectory listing on [redacted] leads to Russian [redacted] PII and internal documentation/slide deck disclosure$1,000.00
2018-08-28 07:07:34 UTCHighly sensitive repo’s containing internal [redacted] application source and databases with over ~700 emails leaked$800.00
2018-08-20 13:01:40 UTCServer variables leaked on [redacted]/servvar.asp, also allowing for the ability to steal HTTPOnly cookies$400.00
2018-08-14 17:08:24 UTC3rd party subdomain hijack – EC2 IP of [redacted]is no longer controlled by Salesforce$62.50
2018-08-13 18:25:52 UTCDOM based XSS on [redacted] (works on all browsers)$125.00
2018-08-12 07:04:32 UTC[First 30] Blind SSRF at [redacted]/handle_pasted_images via fileURLs$375.00
2018-08-10 06:36:30 UTC[First 30] Accessible ca and secrets.enc file exposed on VPN – [redacted]$1,250.00
2018-08-10 02:11:48 UTC[first 30] Subdomain takeover [redacted]$555.00
2018-08-09 08:08:16 UTCAbility to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID$1,000.00
2018-08-09 07:39:29 UTCAbility to bruteforce any [redacted] dashboard user without any rate limiting$500.00
2018-08-09 05:56:38 UTCLeaked promotion codes (including internal employee promotion codes) and employee UUID’s (containing payment profiles)on [redacted]$1,000.00
2018-08-09 05:49:26 UTCAbility to obtain payment profiles and sensitive information of any [redacted] user if you know their UUID$1,000.00
2018-08-09 05:47:46 UTCAbility to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID$2,000.00
2018-07-26 16:21:23 UTCReflected XSS on Jplayer.swf located on the [redacted] owned S3 bucket [redacted]$250.00
2018-07-19 18:46:43 UTCPOST based XSS via [redacted]/api/utils/signup$300.00
2018-07-11 22:48:23 UTC(Potential) IDOR in `/api/[redacted]` via [redacted]$500.00
2018-07-11 22:44:36 UTCAbility to enumerate [redacted] via `/api/[redacted]` on [redacted]$2,000.00
2018-07-06 06:53:19 UTCIncentives administration panel is accessible without auth, revealing a large number of users registered on [redacted]$800.00
2018-07-06 06:47:06 UTCRCE on [redacted] through arbitrary file upload$3,000.00
2018-07-06 06:40:07 UTCAuth bypass leading to administrative access to [redacted]/locationcms/ (can modify/delete/add anything)$800.00
2018-07-06 06:31:23 UTCMSSQL injection via [redacted]/locationcms/Template/StoreList.aspx$2,000.00
2018-07-02 12:08:16 UTCCritical issues on [redacted] (database credentials, entire application source code leaked and SQLi)$800.00
2018-06-28 20:17:38 UTCExtract payment method used (email or last 4 card no) through [redacted]$500.00
2018-06-22 15:48:11 UTCMultiple full-response SSRFs on [redacted] API `/api/utils/download-file` leading to internal access to [redacted] assets$3,250.00
2018-06-22 15:47:31 UTCMultiple full-response SSRFs on [redacted] API `/api/partner/[redacted]` leading to internal access to [redacted]$625.00
2018-06-16 19:14:30 UTCFacebook Submission [redacted]$500.00
2018-06-16 17:56:17 UTCFacebook Submission [redacted]$4,000.00
2018-06-16 17:55:00 UTCFacebook Submission [redacted]$5,000.00
2018-06-16 15:54:20 UTCFacebook Submission [redacted]$500.00
2018-06-16 15:10:50 UTCFacebook Submission [redacted]$500.00
2018-06-16 14:56:58 UTCFacebook Submission [redacted]$500.00
2018-06-16 14:38:05 UTCFacebook Submission [redacted]$3,000.00
2018-06-16 13:47:59 UTCFacebook Submission [redacted]$5,000.00
2018-06-16 13:27:27 UTCFacebook Submission [redacted]$500.00
2018-06-13 21:24:58 UTCStealing Zendesk admin credentials for [redacted].zendesk.com via [redacted]$2,250.00
2018-06-13 21:21:41 UTCAbility to receive a support call with the identity of another [redacted] store using an IDOR in [redacted]$1,500.00
2018-05-31 13:02:19 UTCIncorrect implementation of cloudflare on [redacted]$500.00
2018-05-26 17:51:18 UTCSSRF on [redacted] allows for access to internal hosts [redacted]$1,000.00
2018-05-26 16:52:38 UTC[first 30] – Stored XSS on [redacted] within the Roles dialog$1,206.00
2018-05-26 13:59:34 UTCSSRF on [redacted] allows for access to internal hosts [redacted]$1,728.00
2018-05-26 12:40:45 UTC[first 30] – EC2 IP of [redacted] is no longer controlled by [redacted]$216.00
2018-05-26 11:45:03 UTC[first 30] – Stored XSS on [redacted] within the Roles dialog$125.00
2018-05-26 09:10:39 UTCAbility to bruteforce the password of a current user without locking them out by using an active session$125.00
2018-05-25 13:34:24 UTC[redacted] owned Cisco 3750 on the external internet – bruteforcable via Telnet/SSH/HTTP [redacted]$250.00
2018-05-25 13:33:35 UTCTwo wordpress administration panels for [redacted] on WPEngine [redacted]$400.00
2018-05-23 21:59:17 UTCAWS secret key and other secrets (sessions) leaked on [redacted]$500.00
2018-05-02 12:35:46 UTCServer-side source code disclosed on [redacted]$250.00
2018-04-20 13:29:13 UTCExposed Rabbit-MQ administration panel located at [redacted]$250.00
2018-04-11 22:41:51 UTCMultiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed$3,750.00
2018-04-05 21:07:29 UTCSensitive APIs discovered on [redacted] requiring no auth leading to AWS cloud data and user leakage (20k staff details leaked)$15,000.00
2018-04-05 21:06:52 UTCPostgres SQL Injection on [redacted] leading to potential AWS cloud account takeover$15,000.00
2018-03-23 22:29:19 UTCSecrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted]$9,500.00
2018-03-22 15:33:20 UTCDjango admin panel exposed at [redacted]$250.00
2018-03-16 17:32:47 UTCMultiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed$500.00
2018-03-09 17:01:55 UTCArbitrary origins trusted when making authenticated API calls to [redacted]$250.00
2018-03-09 16:58:16 UTCExposed Django Administration Panel @ [redacted]$750.00
2018-03-02 12:53:11 UTCExposed Django Administration Panel @ [redacted]$750.00
2018-03-02 12:48:41 UTCTaking over [redacted] owned domain [redacted] due to unclaimed Amazon S3 bucket$500.00
2018-02-28 22:48:14 UTCMultiple SQL injection vulnerabilities on [redacted]$2,500.00
2018-02-20 02:34:49 UTCSecrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted]$500.00
2018-02-06 17:40:24 UTCP2P Referral Program Django Admin Panel @ [redacted]$250.00
2018-02-06 17:34:27 UTCSubdomain takeover of [redacted]$4,000.00
2018-01-31 23:17:37 UTCSubdomain takeover of [redacted] and [redacted] via Azure VMs$4,000.00
2018-01-31 14:59:44 UTCAWS credentials disclosure via SSRF in Atlassian Confluence [redacted]$2,500.00
2018-01-24 15:11:23 UTCPHP testing scripts and PHPMyAdmin exposed on the external internet on [redacted]:81$200.00
2018-01-05 07:00:59 UTCAWS key disclosure via SSRF on [redacted] leads to privileged AWS access$10,000.00
2018-01-04 13:05:48 UTCDomain/subdomain takeover of [redacted] via Azure$400.00
2018-01-04 13:04:15 UTC[redacted] pointing to an IP address no longer owned by [redacted]$200.00
2017-12-27 16:15:40 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$20,000.00
2017-12-11 17:46:11 UTCHTML Injection via Emails in company names on [redacted]$500.00
2017-12-11 17:41:39 UTCPersistent XSS on [redacted] via subdomain takeover$500.00
2017-11-28 15:57:33 UTCAbility to write to [redacted].s3.amazonaws.com due to misconfigured S3 ACLs$400.00
2017-11-24 11:32:26 UTCELMAH exposed on [redacted] exposing usernames, session details, sensitive information$800.00
2017-11-21 00:48:14 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$2,500.00
2017-11-14 18:30:11 UTCAbility to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries$500.00
2017-11-13 23:43:58 UTCPersistent XSS on [redacted] via subdomain takeover$500.00
2017-10-23 11:10:21 UTCOpenVPN administration panel exposed for [redacted]$250.00
2017-10-02 23:33:44 UTCNo rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes$1,150.00
2017-08-29 16:33:52 UTC███████████$5,000.00
2017-08-29 16:33:19 UTC██████████████$5,000.00
2017-08-29 16:32:25 UTC████████$1,500.00
2017-08-29 16:32:04 UTC██████████$1,500.00
2017-08-29 16:31:24 UTC████████████$500.00
2017-08-29 16:31:04 UTC████████████$500.00
2017-08-29 16:30:45 UTC█████████$500.00
2017-08-29 16:30:25 UTC████████████$500.00
2017-08-29 16:30:05 UTC██████████$500.00
2017-08-29 16:29:44 UTC████████████$500.00
2017-08-29 16:29:22 UTC█████████████$500.00
2017-08-29 16:29:00 UTC█████████████$500.00
2017-08-29 16:28:34 UTC█████████████████$500.00
2017-08-29 16:28:04 UTC███████████$500.00
2017-08-29 16:27:16 UTC███████████$100.00
2017-08-29 16:26:58 UTC███████████$100.00
2017-08-02 22:55:34 UTCSource code disclosure (including current MySQL DB creds) for https://[redacted]$1,000.00
2017-08-02 22:55:18 UTCPotential second order RCE on https://[redacted]$9,000.00
2017-08-02 22:53:54 UTCSQL Injection in https://[redacted]/job.php$2,000.00
2017-08-02 22:53:40 UTCSQL Injection in https://[redacted]/detail.php$2,000.00
2017-08-02 22:53:16 UTCSQL Injection in https://[redacted]/controls/PE/loaddata.php$2,000.00
2017-07-28 12:58:25 UTCDeep dive into [redacted] crash dump reporting tool – Persistent XSS + Downloading all crash dumps – [redacted]$2,000.00
2017-07-20 01:19:28 UTCExposed [redacted] statistics/administration panel$500.00
2017-07-20 01:18:15 UTCAbility to enumerate and bruteforce user accounts on [redacted]$400.00
2017-07-18 00:28:37 UTCGit repository access on QA machines on [redacted] and [redacted] exposing source code and production secrets$10,000.00
2017-07-14 23:00:16 UTCStored cross-site scripting on exposed development server @ [redacted]$300.00
2017-06-09 10:13:30 UTCAbility to submit bugs on behalf of other users on the [redacted] environments for [redacted]$250.00
2017-06-05 09:42:55 UTCAdmin access to Grafana instance with Credential Disclosure$500.00
2017-06-02 09:32:33 UTCWordPress Database Credentials Leakage + Find and replace MySQL tool (searchreplacedb2.php) on [redacted] + MySQL root password$1,000.00
2017-05-12 11:20:10 UTCPrevent [redacted] users from using their own VK account on [redacted]$1,000.00
2017-05-12 11:19:28 UTCOpen admin panel / Multiple WordPress related issues on [redacted]$250.00
2017-05-12 11:18:36 UTCURL Redirection flaw affecting [redacted] official login flow [redacted]$600.00
2017-05-12 11:11:24 UTCTomcat Manager left enabled on [redacted] (authentication required – exposed admin interface)$250.00
2017-05-12 11:09:23 UTCAbility to upload arbitrary files to the [redacted] S3 bucket via signed Amazon requests [redacted]$1,500.00
2017-05-12 11:07:07 UTCOpen administrative interface at [redacted] for [redacted]$500.00
2017-05-04 00:25:09 UTCArbitrary file write and remote command exection on [redacted]$9,500.00
2017-05-04 00:24:11 UTCLocal file disclosure on [redacted]$2,000.00
2017-05-04 00:22:00 UTCMySQL Injection on [redacted] Drupal endpoint [redacted], potentially able to escalate$9,500.00
2017-04-21 04:00:55 UTCCritical 2nd instance of SQL injection (no authentication required) on [redacted]$1,000.00
2017-04-21 04:00:00 UTCPersistent XSS + CSRF via [redacted]$250.00
2017-04-21 03:59:44 UTCMultiple reflected XSS on [redacted]$200.00
2017-04-21 03:57:58 UTCReflected XSS via video-js.swf on [redacted]$500.00
2017-04-21 03:57:44 UTCReflected XSS via copy_csv_xls_pdf.swf on [redacted]$500.00
2017-04-21 03:57:26 UTCReflected XSS via flowplayer-3.2.16.swf on [redacted]$500.00
2017-04-21 03:47:11 UTCSource code disclosure through Git repo exposed on [redacted]/subs/.git/config$1,000.00
2017-04-18 12:51:50 UTCDjango debugging mode enabled on [redacted]$250.00
2017-04-18 12:47:29 UTCFully controllable SSRF on [redacted] allowing for GET/POST to internal resources$17,500.00
2017-04-17 23:09:26 UTCBuilding control system (Niagara) and 4g CradlePoint router externally exposed for [redacted] Pittsburgh office$500.00
2017-04-14 15:07:24 UTCNo rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes$500.00
2017-04-14 03:13:46 UTCRCE on [redacted] after bruteforcing valid credentials$9,600.00
2017-04-14 03:11:38 UTCLocal file disclosure and SSRF in [redacted]$3,100.00
2017-04-14 03:08:36 UTCSQL injection on [redacted]$1,100.00
2017-04-11 17:36:38 UTCupdateUserInfo RPC endpoint IDOR on [redacted] (view/update any users details via UUID)$3,000.00
2017-03-30 00:53:31 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$150.00
2017-03-21 19:31:45 UTCPHPInfo debug scripts exposed on [redacted] and [redacted]$150.00
2017-03-03 11:03:03 UTCXSS on [redacted] through uploading SWFs as JPG$1,800.00
2017-03-03 11:01:13 UTCXSS on [redacted] due to WordPress vulnerability$2,000.00
2017-03-01 20:58:14 UTCAbility to bruteforce users on [redacted] confluence via bypassing route redirections$3,000.00
2017-02-24 10:43:41 UTCAccount bruteforce bug for [redacted] users$500.00
2017-02-24 10:43:09 UTC[redacted] vulnerable to IIS short name disclosure$250.00
2017-02-17 11:48:41 UTC[redacted] vulnerable to IIS short name disclosure$250.00
2017-02-17 11:46:10 UTCWordPress admin bruteforce and interface through XMLRPC.php on [redacted]$1,000.00
2017-01-24 00:05:33 UTCSubdomain takeover of [redacted] through StatusPage.io$110.00
2017-01-20 10:26:53 UTCReflected XSS via flashmediaelement.swf on [redacted]$2,000.00
2017-01-19 23:07:35 UTCAbility to bruteforce [redacted] accounts using associated mobile number via [redacted]$3,300.00
2017-01-17 23:24:01 UTCAbility to bruteforce [redacted] active directory through [redacted]$300.00
2017-01-11 01:37:53 UTCAbility to bruteforce [redacted] active directory through [redacted]$3,000.00
2016-12-23 21:02:39 UTCExposed git repository on [redacted] reveals all application source code, including 1k user plain text passwords + db info$4,000.00
2016-12-20 06:56:47 UTCPublicly accessible sign up for Rocket Chat leading to potential breach of internal employees$50.00
2016-12-16 10:46:58 UTCExpired domain referenced in iframe elements on [redacted]$1,000.00
2016-12-09 11:22:13 UTCInformation disclosure – subdomain leaks internal host via DNS$250.00
2016-12-09 11:21:36 UTCAccount bruteforce bug on [redacted]$750.00
2016-12-09 11:20:18 UTCCritical – Perform administrative actions via an IDOR on [redacted] – Manipulation of the leaderboard and more$500.00
2016-12-09 11:16:50 UTC[redacted] Administration Panel [redacted]$750.00
2016-12-09 11:15:00 UTCSubdomains [redacted] pointing to EC2 instance owned by LucidPress (*.lucidpress.com)$750.00
2016-12-09 11:13:10 UTCPage takeover of [redacted]/ru/page/cosplay_contest due to expired Wufoo form$750.00
2016-12-09 10:57:37 UTCPublicly accessible *admin* access to AWS auditing tool used by [redacted]$15,000.00
2016-11-29 10:49:02 UTCAbility to map arbitrary VK.com IDs with [redacted] players via [redacted]$750.00
2016-11-29 10:48:37 UTCInfo Disc. of Internal Docker Instance$250.00
2016-11-28 14:10:40 UTCInformation disclosure (internal IP addresses of all workers, memory usage, status) for [redacted]$250.00
2016-11-18 11:52:25 UTCSQL Injection on [redacted] leading to full administrative access$5,000.00
2016-11-18 11:49:29 UTCPersistent cross-site scripting/partial arbitrary file upload on [redacted]$3,000.00
2016-11-18 11:47:47 UTCPartial Git repo information found on [redacted]$250.00
2016-11-07 18:18:41 UTCPotential dangling subdomain record [redacted] for thismoment’s SaaS tool$2,000.00
2016-11-04 17:04:57 UTCWeird Reflected XSS on [redacted]$750.00
2016-11-04 16:50:25 UTCReflected cross-site scripting on [redacted]$1,200.00
2016-11-03 11:58:18 UTCSubdomain takeover of [redacted] via dangling CloudFront CNAME$250.00
2016-10-31 15:46:05 UTCPublic read/write to Amazon S3 bucket [redacted] allowing for ability to replace Android [redacted] APKs and subdomain takeover$200.00
2016-10-24 19:35:37 UTCX-Forwarded-For bypasses to access debugging pages across multiple [redacted] hosts$1,000.00
2016-10-13 17:25:36 UTCSubdomain takeover of [redacted] leading to Starbucks account takeovers via cookie stealing$1,000.00
2016-10-13 17:24:47 UTCSubdomain takeover of [redacted] due to expired Auzre traffic manager endpoint$1,000.00
2016-10-13 17:22:22 UTCDangling DNS CNAME record for the domain [redacted] pointing to [redacted]$2,000.00
2016-10-13 17:03:25 UTCSymfony app_dev.php found on [redacted] – Profiler is enabled and accessible by anyone$1,000.00
2016-10-10 23:49:06 UTCExposed administration interfaces for [redacted] infrastructure/third party applications$100.00
2016-09-19 19:35:18 UTCSensitive information leaked via X-Forwarded-For header spoofing on [redacted]$500.00
2016-09-13 20:44:44 UTCSubdomain takeover of [redacted] via Amazon S3 buckets$100.00
2016-09-07 18:03:11 UTCSubdomain takeover of [redacted] due to expired Auzre traffic manager endpoint$1,000.00
2016-09-04 00:38:19 UTCInsecure S3 bucket [redacted] leading to the takeover of critical assets [redacted]$1,000.00
2016-09-01 21:21:44 UTCSubdomain hijack of [redacted] through Unbounce Pages$100.00
2016-08-31 20:32:42 UTCSubdomain takeover of [redacted] leading to [redacted] account takeovers via cookie stealing$1,000.00
2016-08-31 12:56:29 UTC[Critical] Blind XSS in the [redacted] administration panel leading to full access of administration panel$250.00
2016-08-31 01:33:12 UTCMultiple critical risk vulnerabilities affecting Accellion Kiteworks on [redacted]$3,000.00
2016-08-30 18:00:10 UTCReflected Cross-site Scripting on [redacted] due to unpatched Confluence$50.00
2016-08-29 16:15:09 UTCSubdomain takeover possible on [redacted] through Uservoice Feedback SaaS$25.00
2016-08-23 17:06:26 UTCSubdomain takeover of [redacted] through Heroku$50.00
2016-08-23 15:43:27 UTCPersistent cross-site scripting on event pages created on [redacted]$75.00
2016-08-17 19:20:34 UTCSubdomain takeover of [redacted]$200.00
2016-07-30 13:56:21 UTCSubdomain hijack of [redacted] due to expired S3 bucket [redacted]$25.00
2016-07-26 20:35:16 UTCMultiple source code repositories, private internal documents and config from [redacted]$350.00
2016-07-25 21:01:07 UTCServer-side request forgery allowing for the ability to contact internal [redacted] AWS hosts such as ElasticSearch and Staging instances$3,000.00
2016-07-14 01:27:21 UTCSubdomain Takeover [redacted] via Heroku$100.00
2016-07-14 00:40:57 UTCSubdomain no longer controlled by [redacted]$100.00
2016-07-14 00:29:42 UTCSubdomain no longer controlled by [redacted]$100.00
2016-07-11 14:18:03 UTCSubdomain hijack of [redacted] (WP-Engine)$1,000.00
2016-07-04 02:15:08 UTCSubdomain hijack of [redacted] via Vagrant Share$100.00
2016-07-04 02:13:59 UTC3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted]$100.00
2016-07-01 09:29:53 UTCOpen administration panel with no authentication (full access) – [redacted]$500.00
2016-06-24 19:06:43 UTCSubdomain hijack of [redacted] (WPEngine #2)$1,000.00
2016-06-17 10:15:30 UTCOpen Remote bruteforcable MySQL login on [redacted]$750.00
2016-06-13 15:22:23 UTCPassword based bruteforcable SSH server on [redacted]$250.00
2016-06-03 10:22:34 UTCAdministration Panel Access (no auth required) to the [redacted]$3,000.00
2016-06-03 10:21:53 UTCMultiple issues on [redacted] with the Django Rest API [Info disc, Priv Esc, IDOR]$500.00
2016-05-20 12:43:21 UTCMinor information disclosure on [redacted] (project details and gitignore)$250.00
2016-05-20 12:41:34 UTCPartial page takeover again on [redacted]$1,000.00
2016-05-18 18:18:11 UTCLeaked FTP credentials for [redacted] => persistent XSS, uploading of files, SOP bypass$800.00
2016-05-13 10:10:21 UTCNine open administrator panels exposed on [redacted]$1,500.00
2016-05-13 10:09:19 UTCSubdomain takeover of [redacted] leading to the takeover of multiple pages on [redacted]$2,500.00
2016-05-13 10:08:42 UTCCSRF & Arbitrary file upload vulnerability to a [redacted] owned s3 bucket$500.00
2016-05-06 10:00:26 UTCOpen Joomla administration panel for the [redacted] application on [redacted]$500.00
2016-05-06 09:58:21 UTCThree instances of reflected XSS on https://[redacted]$2,000.00
2016-04-26 09:47:31 UTCReflected XSS on [redacted] via ZeroClipboard$1,750.00

I can tell you that the exact amount made, after calculating all of the payouts in the table above, is $635,387.47 made in 1590 days (4 years, 4 months). This is not the total amount I have made all-time in bounties. This figure is only inclusive of the HackerOne platform, no other platforms that I have submitted bugs to have been counted in this blog post. I report the vast majority of my bugs to programs on HackerOne.

I know hackers in the bug bounty community that are capable of making hundreds of thousands within weeks or months. Sadly, that’s not me, but I do find them inspiring. As I said earlier in this blog post, I came to terms with the fact that there are better hackers out there, and these days, I am proud to sit at rank 43rd on HackerOne at the time of writing this.

If you divide the amount of money by the number of days, you will quickly work out that it averages out to roughly $400 USD a day. I could have been earning this amount or more by working as a consultant with a high day rate, but the difference is, I made all of the ~635k on my own terms.

I worked when and where I wanted to and didn’t touch a bounty program for weeks if I wasn’t feeling up to it.

There were at least 62 bugs in the table above that were the direct result of automation. This accounts for 18% of the total number of bugs I reported in the last 4 years. This is a pretty interesting takeaway, and proves to me that automation is one of the facets that leads to success in finding security issues.

These companies paid me quite a lot of money in order to lock down their attack surfaces. While earning this money and learning new techniques along the way, we built as much of the workflows, techniques, tooling and methodologies into Assetnote. We found that by translating bug bounty success, into a more digestible enterprise product, we were able to successfully establish ourselves as a key player in the attack surface management space.

Today, we have a strong customer base that uses our product to not only find exposures as they happen immediately, but also more creatively to reduce their bug bounty spend, not paying for issues that are found through automation. Assetnote’s platform has been thoroughly tested against attack surfaces in the last four years of my bug bounty hunting, and is capable of continuously finding security vulnerabilities.

A majority of the bugs were only possible due to automated asset discovery, but still required some manual inspection and exploitation. Large scale asset identification is still a key pillar of my success.

In terms of criticality, there were 24 SQLi’s, 22 SSRFs, 20 IDORs, and at least 11 RCEs.

I focused my time mainly on Uber as I simply enjoyed it more and valued the team working there – first with Matthew Bryant, Collin Greene and then with Joel Margolis after Matt and Collin had left.

For the four years of hacking on Uber, I was able to come up with a methodology when approaching their assets by having a deep understanding of their architecture, and development practices. This was absolutely key to my success, and I’m sure other successful bug bounty hunters have a specific way they approach a program. Every company is different when it comes to hacking them.


Throughout these four years, I collaborated with and learnt a lot from (in no particular order):

  • Andre – we owned [redacted] together through ObjectStateFormatter deserialization

I came across a host and using all of my techniques when it comes to attacking .NET applications, I was able to find a few serious issues, but not command execution. At the time, research was released around how it is possible to achieve RCE through the VIEWSTATE parameter, via insecure deserialization, if you have the machineKey.

I enlisted Andre to help, and he was able to not only successfully leak the machineKey, but also was one of the first people to create a tool to exploit this vulnerability.

Andre’s heavy experience in CTFs were key to our success in this collaboration.

  • Joel – we owned Facebook together through an XXE in a vendor product

I asked Joel for help when I was reversing a vendor product that Facebook had put up on their attack surface, under one of their corporate domains.

I was able to get the source code of this product by spinning up an AMI from Amazon’s Marketplace and then getting a shell on the deployed instance. However, when trying to debug a tricky potential XXE through XSD’s I wasn’t able to go further by just reading the source code.

I didn’t know why my exploits weren’t working.

Joel’s experience when it came to Java was key to our success here. He decompiled the jar files, he created an intelliJ project and fixed all of the errors. Then we started debugging it step by step.

It was an absolute pleasure watching Joel work this out and I look forward to collaborating with him in the future.

  • Naffy – for helping me understand the best attack against Yahoo’s attack surface is persistence

I’ve known Naffy for almost a decade now, and the biggest thing I have taken away from him is that any attack surface can be broken into given enough time and effort. In the early days of bug bounties, Naffy was dominating the leaderboard for Yahoo’s bounty program – due to this he has a lot of experience with large attack surfaces.

Yahoo, now owned by Verizon, have an incredible amount of infrastructure and assets deployed on the internet. However, the noise on the attack surface is ridiculous to deal with.

What Naffy showed me was that with enough persistence and time, things break, and we have to be watching closely to capitalise on that.

  • Sean – I’ve lost count of the number of things we have owned together

Every time I have been in a tricky situation where I struggle with exploiting an issue due to technical complexities or lack of knowledge, Sean has been the one to push through and help develop proof-of-concept exploits.

Sean has been able to translate high-risk security issues into automation very successfully and it has led to a lot of vulnerabilities that we have disclosed together.

  • Oscar – I did a lot of collaboration on bounties with Oscar while I was at Bishop Fox

I used to talk with Oscar, daily, when I was at Bishop Fox. Oscar played a huge role when it came showing me how to hyper-optimise the speed at which DNS bruteforcing is possible.

While I worked with him, I found him to be incredibly switched on and most of all, a kind person. He has contributed to many bounty successes while I was working at Bishop Fox.

  • Huey – we fine tuned my methodology on Uber together

JavaScript source maps are a brilliant way to better understand the internals of any client-side application. I look for source map files now every time I find JavaScript files, and that is thanks to Huey.

On Uber, we have used sourcemap files to better understand the GraphQL queries and API endpoints that are being used by Uber applications, to further exploit them. I have a better understanding of JavaScript thanks to Huey.

  • Anshuman – we audited source code together for a PayPal live hacking event

For a recent live hacking event, we took apart the CMS called PencilBlue as it was being used by a particular target. Together, we had a blast auditing the source code, beating each other to different flows in the application source code and bonding over the speed at which we approach attack surfaces.

  • Rhys – he helped me convert a stolen secret into an account takeover

At a live hacking event, I discovered credentials such as secret keys that were leaked through Google’s cached pages. A development asset which printed all of the environment variables and secrets in plain text was being proxied through ngrok, and Google had managed to not only index, but cache it, with all of the secrets in place.

After stealing these secrets from the cached copy, I asked Rhys to help me prove impact. He definitely delivered, by converting the tokens I stole, into an interactionless account takeover. Rhys is also very switched on. He won that live hacking event by miles.

We gained access to Mozilla’s internal AWS network by exploiting WebPageTest.

There are probably more people that I worked with over the years, but I cannot immediately recall. My point to you is that collaboration has been really important when it comes to growth and success in bug bounties.

Also please don’t just ask someone to hack something for you. In all of the cases above, the reason why collaboration was so successful was because the initial triage was done by either party. There was always the initial foothold or concept that was shared out of trust, which then led to actual collaboration on the issue. Don’t expect people are going to exploit things for you without presenting at least half the exploit chain or idea.


As I’ve talked about previously in this presentation, my methodology still revolves around the identification of assets belong to an organization on the internet.

The speed of asset identification and content discovery has increased tremendously. This is partially due to the fundamental shift in the security scene from writing tools in Python, to writing them in Golang or Rust, due to the speed benefits they entail.

We have also adopted this trend at Assetnote, and key components of our platform such as our in-house DNS resolver, has been re-written and optimized in Rust by Huey to take advantage of the speed it brings.

The one thing I have noticed when it comes to analysing an attack surface, is making sure that your tools output information in a way that highlight relationships. For example, the output of most fast DNS bruteforcing tools, simply sucks. Here’s how I prefer DNS data to be laid out – something that tracertea shared with me:

0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64

When you are looking at thousands of assets at once, you have no idea how much of a difference this optimisation can make. I can immediately recognise the relationships between the source and destination when it comes to analysing this DNS data.

It’s surprising that something so simple has had such a profound affect on me, but the same goes for color coding when displaying content discovery results. Most tools still lack in this area, and anyone who has had to spend the time combing through thousands of content discovery results will tell you that the task gets tiring quickly. Ultimately, I spend my time finding needles in haystacks, and colors make it so much easier.

When it comes to methodology, the program that has had the most profound affect on me is Uber, due to the ever changing attack surface.

In the four years, Uber has changed how they develop their software and deploy it. It has been extremely important to keep up with this and constantly reflect on the methodology being used to pierce through an attack surface. The continuous assessment of assets on the internet has been very effective against large attack surfaces in particular.

Attack surfaces are alive, evolving and complex at times.

When I first started hacking on Uber, I would see services such as Redis and HAProxy (admin panel) being exposed directly to the internet. I considered this to be an immature attack surface at the time as it was trivial to discover these security misconfigurations. But over the years, wow have they evolved.

These days, you simply will not find exposed services like Redis on Uber’s core attack surface, and this is a direct reflection of their processes and practices maturing internally when it comes to application security, and in a wider picture, their entire attack surface.

Instead, all of Uber’s internal and sensitive assets are routed to OneLogin at the DNS level. There have been cases where sensitive assets have slipped through the cracks and did not have OneLogin protecting them, but again, this is why monitoring attack surfaces continuously is so important.

Who knows? Someone could accidentally disable OneLogin protecting their assets for a short period of time, or spin up a sensitive asset that does not enforce OneLogin. Maybe because they are trying to test some changes, maybe because they don’t realise what they are doing.

I can confirm that the continuous monitoring of assets for security exposures is a core part of my methodology, and it is also the reason for why we inherently baked it into Assetnote.

Not included in this blog post is all of the work I put into the United Airlines bug bounty, and due to the terms and conditions of their bounty program, I cannot go into much detail, but I can say that their attack surface has helped me hone my skills in .NET application security testing.

When I initially looked at an IIS server four years ago, I wouldn’t know where to start. These days, I have a methodology that has proven to be extremely successful when it comes to IIS servers in general.

Due to this and so much more that I do when I am approaching attack surfaces, I plan on releasing more videos on our YouTube channel over the next year. Please subscribe if you haven’t already 🙂


Assetnote’s Continuous Security Platform puts the power of automated reconnaissance and large scale asset identification in the hands of security teams around the world, so that they can replicate our methodologies and successes. Knowing what assets and exposures an attack surface has is key to locking it down, and we do our best to help security teams from all over the world with this.

If you work at a business that could use help with identifying and monitoring your assets, please reach out to us.

13 Expert-Recommended Tricks For Accelerating Your Online Growth

For online businesses, a high-performing website that encourages engagement and conversions is the key to successful growth. It often takes time to build up a steady stream of website visitors and consistent buyers. However, there are some things you can do to help accelerate the process. If you want to scale your site visits and…

For online businesses, a high-performing website that encourages engagement and conversions is the key to successful growth. It often takes time to build up a steady stream of website visitors and consistent buyers. However, there are some things you can do to help accelerate the process.

If you want to scale your site visits and engagement, try these 13 growth hacks recommended by the experts of Young Entrepreneur Council.

960x0 - 13 Expert-Recommended Tricks For Accelerating Your Online Growth
Young Entrepreneur Council members suggest using these tips to boost your online growth.

Photos courtesy of the individual members.

1. Focus On SEO

Search engine optimization is a great way to increase your online presence and drive people to your website organically. SEO is effective because you sprinkle in special keywords in the written content on your site. Those keywords will in turn drive people to your site because they use the same exact keywords when searching for something on Google. – Patrick Barnhill, Specialist ID, Inc.

2. Run A/B Tests

Lower your customer acquisition costs through multiple rounds of A/B testing. Once you’ve hit your targeted acquisition rate, deploy large amounts of marketing capital through that funnel. This has proven to be effective because, as you begin to understand your target audience, it becomes easier to predict their behaviors and tendencies. – Jordan Edelson, Appetizer Mobile LLC

3. Launch Retargeting Campaigns

Launching retargeting campaigns as part of your online growth strategy is one of the most effective approaches. In fact, it often achieves greater results and exceeds conversion rates of regular advertisements. Retargeting allows you to focus on shoppers with high intent to purchase, in addition to decreasing acquisition cost. – Blair Thomas, eMerchantBroker

4. Develop Comprehensive Customer Personas

I think the key to website success is developing comprehensive customer personas. You’re going to have a hard time growing your business if you’re not sure who to target. Review your website analytics and feedback forms so you can learn more about the people that frequent your website. Use this information to create compelling content and offers that are geared towards those users. – John Turner, SeedProd LLC

5. Experiment Often

In growth hacking or growth marketing, rapid growth can be achieved by carrying out experiments. You can do split tests to see what keywords, prices and offerings create the best results for your audience. When you find something that works, leverage the experiment by scaling it up and applying it to your marketing activities. In this way, an experimental mindset helps you grow your business fast. – Syed Balkhi, WPBeginner

6. Expand Your Pinterest Presence

Whether you own an e-commerce website, run a blog or lead a service-based business, develop an audience on Pinterest to send back to your website. Create content and visuals that represent your brand to attract website traffic, and use links back to blog posts with content upgrades. This will be one of the most effective ways to build an engaged audience. – Kristin Kimberly Marquet, Marquet Media, LLC

7. Tap Into Your Network

To accelerate your online growth, don’t underestimate what your networking connections can do for you. Knowing the right people can make all the differences in the direction your company goes in. A few positive endorsements from well-known entrepreneurs and leaders can put your foot in the door for more great opportunities. – Jared Atchison, WPForms

8. Be Customer-Centric

To accelerate your business growth, you need to create customer-centric strategies that focus on your buyers and their needs. If a company develops a plan based on the results instead of the data and people they serve, then it’s clear why they aren’t reaching the level of success they want. When your customers know that you want to provide for them, they’re sure to come back.  – Stephanie Wells, Formidable Forms

9. Build A Brand Community

Do whatever it takes to create a community around your website, brand or products. You can do that through social media, user-generated content, guest posts, email newsletters and more. By inviting people into your world, you’re helping them get invested in your business, making it easier for them to become loyal fans and customers. – Thomas Griffin, OptinMonster

10. Provide Value And Education Through Content

Creating great content isn’t a “quick fix” hack, but it is the best strategy for the long-term. By creating high-quality content that actually educates and engages your audience, you are giving them a reason to return to your site and making your company stay top-of-mind for them.  – Kelsey Raymond, Influence & Co.

11. Devote Resources To Content Promotion

Don’t just create good content—promote it. I see many organizations making this mistake. They invest time and money in creating great content and posting it online, but nothing happens. So they get frustrated, thinking that content marketing doesn’t help them grow. Promoting your content doesn’t make you intrusive. It only puts you in front of the right people—those who are interested anyway. – Solomon Thimothy, OneIMS

12. Build An Email List Before Your Site Launches

Many people often wait until the day of their website launch to start building an email list. A powerful way to build an audience and grow your business even before it’s launched is to create a “coming soon” page. Here, you can create a registration form and add a countdown timer. A “coming soon” page will help you build an email list and nurture your audience even before your business opens. – Blair Williams, MemberPress

13. Review Your Analytics

The key to boosting your growth is to look over your analytics. Data from your website, social media and email campaigns can help you make smart marketing decisions. For instance, if you notice that a majority of people across all platforms are clamoring for a specific feature, you can quickly add it. Using your data in this way can boost customer satisfaction, retention, sales and traffic. – John Brackett, Smash Balloon LLC

COVID Pandemic Taught Small Business These Important Cyber Security Lessons (INFOGRAPHIC)

With working from home the new norm, hackers are exploiting weaknesses in new working practices. The sharp increase in hacking and phishing activity has shone the light on the importance of cyber security.Exploring the risks surfacing in the post-COVID economy, Data Connectors have compiled an infographic. Data Connectors are providers of the largest cyber security…

With working from home the new norm, hackers are exploiting weaknesses in new working practices. The sharp increase in hacking and phishing activity has shone the light on the importance of cyber security.

Exploring the risks surfacing in the post-COVID economy, Data Connectors have compiled an infographic. Data Connectors are providers of the largest cyber security community in the US. The ‘Cybersecurity for the Post-Covid Economy’ infographic looks at the cyber security risks the pandemic has exposed. It looks at how businesses can make cyber security improvements to protect their tech and data.



COVID Cyber Security Lessons for Small Business

The Covid-19 pandemic has changed working practices, perhaps indefinitely. Remote work is now a common part of the workplace. Research shows 1 in 3 employees believe cyber security of their company is a moderate or major issue.

With hacking and other cyber crime on the rise, it is vital small businesses take cyber security seriously. Protecting systems, networks and devices are important in the race against cyber crime on businesses.

As Itai Sel, CEO of Naval Dome, comments for Data Connectors’ infographic:

“Companies are stretched thin and this is benefitting the hacker. It is not sufficient to protect only networks from the attack. Each individual system must be protected. If networks are penetrated, then all connected systems will be infected.”

The Threat of Coronavirus-Related Cyber Attacks

In March and April 2020, more than 192,000 COVID-related cyber attacks were reported each week. This is a 30% increase in the number of reported cyber-attacks compared to pre-coronavirus.

Why Business are at a Greater Risk

The infographic asks why businesses are at a greater risk of falling victim to cyber crime. It cites the large-scale growth of working from home, customer-facing networks, and online cloud services as being exploited by cyber criminals.

What COVID Teaches Us About Cyber Crime and Security

According to Data Connectors’ research, cyberattacks can spread at nine times the rate of Covid-19. They can also lie dormant for months while they spread.

The economic impact of a digital shutdown could be immense, the infographic warns. For example, a digital virus with the same virulence as Covid-19 could brick or wipe 20 million infected devices.

The Challenges of Recovering from Digital Destruction

The infographic warns that tech companies could struggle to meet the surge in demand of a digital shutdown. Failing to keep up with demand could grind the economy to a halt.

Threat of Cyber Pandemics

The research points to the threat of ‘cyberpandemics’ and that future pandemics could be cyber-related. Such pandemics could spread faster and further than a biological virus, with an equal or even greater economic impact. A global loss of internet would cost $50 billion per day, says the infographic.

Improvements Small Businesses Can Make to Protect Themselves

Since February 2020, there has been a 600% increase in phishing. 67% of businesses have experienced an IoT security incident. 55% of organizations plan to increase IT/OT alignment.

As businesses continue to work from home, security polices and procedures must be implemented to reflect the shift. Such policies and procedures should include disaster recovery plans. Having a business disaster plan in place, is one of the best ways to prepare for disasters of all kinds.

The infographic advises businesses to adjust insurance coverage to incorporate cyber risk. New policies should also be put int place for mobile security and bring-your-own- devices.

Businesses should also consider increasing bandwidth to move teleconferencing between sites. Secure VPN access should be established for employee workstations. Data should be monitors by adding a cloud access security broker. Network-level authentication should be made part of remote desk protocols.

Company-issued devices need to be managed centrally with remote monitoring, opposed to assigning administrative privileges to end-users.

In the ‘new’ business climate, businesses need to be more vigilant than ever about the risks of cyber crime.

svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAwIiBoZWlnaHQ9IjQ3NTciPjwvc3ZnPg== - COVID Pandemic Taught Small Business These Important Cyber Security Lessons (INFOGRAPHIC)


The Infosec Apocalypse

The rise of tooling for vulnerability detection combined with pressure driven by Vendor Due Diligence is causing a massive enterprise freezeout for non-mainstream technologies across the board. Of particular concern is the impact this will have on the adoption of functional programming in enterprise and small business B2B development. I see now that the last…

The rise of tooling for vulnerability detection combined with pressure driven by Vendor Due Diligence is causing a massive enterprise freezeout for non-mainstream technologies across the board. Of particular concern is the impact this will have on the adoption of functional programming in enterprise and small business B2B development.

I see now that the last 10 years were “easy mode” for the growth of new programming tools and infrastructure, with many new breakthrough technologies seeing rapid adoption. Languages like Node, Go and to some degree Scala saw breakaway success, not to mention all of the new cloud tech, NoSQL tech, containerization and data processing platforms along with their custom query DSLs. Other languages like Haskell saw success in small companies and skunkworks style teams solving very difficult problems.

The Rise of Vulnerability Scanning

Just this past year I’ve come to see we’re in the middle of a massive change across the industry. There are new forces at play which will calcify current software stacks and make it extremely hard for existing or new entrants to see similar success without a massive coordinated push backed by big enterprise companies. This force is the rise of InfoSec and vulnerability detection tooling.

Tools like Blackduck, WhiteSource, Checkmarx, Veracode are exploding in popularity, there are too many to list and many variations on the same theme. In the wake of so many data leaks and hacking events enterprises no longer trust their developers and SREs to take care of security, and so protocols are being implemented top down. This isn’t just on the code scanning side, there is a similar set of things going on with network scanning as well which impacts programming languages less, but similarly will calcify server stacks.

These tools are quickly making their way into SOC2 and SDLC policies across industry, and if your language or new infrastructure tool isn’t supported by them there’s little chance you will get the previously already tenuous approval to use them. This sets the already high bar for adoption much higher. As you might expect, vendors will only implement support for languages that meet some threshold for profitability of their tools. Not only do you need to build a modern set of tools for your language to compete, now you also need support from external vendors.

Vendor Due Diligence

Maybe we just cede this territory to enterprise tools with big backers like Microsoft and Oracle, we never more than a few small inroads anyway. The use of these tools is arguably a good thing overall for software security. Unfortunately, the problem cannot be sidestepped so easily, and I’m afraid this is where things look very bleak. The biggest new trend is in enforcement of these tools through Vendor Due Diligence.

You may not be familiar with Vendor Due Diligence if you aren’t in a manager role. The basic idea is your customer will send you a long list of technical questions about your product which you must fill out to their satisfaction before they buy your product or service. In the B2B space where I work these lists are nothing new, but have been getting longer and longer over the last 10 years, now often numbering in the hundreds of questions.

Most recently I’ve seen more and more invasive questions being asked, some even going into how teams are organized, but important to this article is that across the board they now all ask about vulnerability scanning and now often request specific outputs for well-known vulnerability scanning tools. The implication being that if you’re not scanning with these tools they won’t buy your software, and the list of supported languages is small.

Any experienced technology manager sees the natural tradeoff here. When it comes down to making money versus using cool tech, cool tech will lose every time. You’re just burning money if you’re building cool things with cool tech if you know no one will buy it.

So What Now?

Potentially we will see a resurgence of “compile-to” functional programming with mainstream language targets to sidestep the issue. I suppose though that the extra build complexity and problems debugging will prevent this from ever being mainstream, not to mention that the vulnerability tools look for specific patterns and likely won’t behave well on generated code.

There is some hope in the form of projects like SonarCube which enables users to come together and build custom plugins. Will functional programming communities come together to build and maintain such boring tech? I somewhat doubt it. This kind of work is not what most programmers would choose to do in their off time. Similarly, vulnerability detection is unlikely to be a good target to be advanced a little at a time with academic papers. It would take true functional programming fanatics to build companies or tools dedicated to the cause. If you are interested in helping out, pay attention to the OWASP Top 10 as this list drives focus for many infosec teams.

Where does this leave us? If our communities do nothing then smaller B2B software operations focused mom and pop shops or consumer focused web applications likely won’t see any impact unless static analysis makes it into data protection law. Beyond these use cases FP will be relegated to tiny boxes on the back end where vulnerabilities are much less of a concern and the mathematical skills of functional programmers can bring extreme amounts of value.

I know there are many deeper facets I didn’t cover here, if you want to continue the discussion join the thread on twitter.

Millions of Users Love Zoom: Here’s Why That’s Bad News

Social distancing has pulled in thousands of new users, but security flaws have been a real issue. With work-from-home and social distancing policies increasing reliance on video conferencing applications, Zoom Video Communications (NASDAQ:ZM) has posted record-breaking growth. Investors swooped in and pushed the company’s share price 40% higher in a single day of trading, although…

Social distancing has pulled in thousands of new users, but security flaws have been a real issue.

large - Millions of Users Love Zoom: Here's Why That's Bad News

With work-from-home and social distancing policies increasing reliance on video conferencing applications, Zoom Video Communications (NASDAQ:ZM) has posted record-breaking growth. Investors swooped in and pushed the company’s share price 40% higher in a single day of trading, although the entire market did pull back substantially shortly after. But somehow, somewhere, didn’t everyone forget the hacking scandals from earlier this year?

?url=https%3A%2F%2Fg.foolcdn.com%2Feditorial%2Fimages%2F590563%2Fgettyimages 1216652501 - Millions of Users Love Zoom: Here's Why That's Bad News

Image source: Getty Images.

User count jumps sky-high

At face value, Zoom posts drool-worthy numbers. The company reported in August 2020 that total revenue had grown 355% year over year to $664 million in the second quarter. These results exceeded the guidance of $495 million to $500 million, as demand remained at heightened levels and more free users were converted to paying customers. Most impressively, current customers with more than 10 employees increased by 105,000 to approximately 370,000. So Zoom is clearly growing at an eye-popping rate.

The company claims to have more than 300 million daily active participants, although total unique user counts have not been disclosed to date. Zoom’s popularity may stem from its extremely user-friendly features — simultaneous screen sharing, group messaging, mobile collaboration, mobile app screen sharing, and the ability to host multiple users in a video call. So people are flocking to it in droves. But therein lies the problem. 

Hacking and stolen data

Zoom’s wild popularity led to very inventive hacking, which splashed across the news earlier this year. Interruptions were varied, ranging from “zoombombing,” in which a user or hacker broadcasts inappropriate video across a Zoom call room, to dangerous thefts of private data from user devices.

Large companies and organizations went so far as to ban Zoom from use, turning to competing applications like Microsoft Teams and Google Meet. Google banned company employees from using Zoom on employee laptops, while SpaceX and even NASA prohibited use, all citing security concerns.

The actions made sense at the time, since Zoom actually had such weak security measures back in March and April that they were essentially nonexistent. Of course, after the negative backlash, the company quickly acquired security company Keybase and worked to deploy encryption measures that could better protect its growing user base. 

Better but still not perfect

The problem with Zoom’s security measures lay in the ease with which hackers were able to enter a user’s device. Nowadays, stolen digital data is a huge issue. Our lives are literally there for the plucking. And with millions of people vulnerable through Zoom, that could create a major headache.

?url=https%3A%2F%2Fg.foolcdn.com%2Feditorial%2Fimages%2F590563%2Fgettyimages 1174418589 - Millions of Users Love Zoom: Here's Why That's Bad News

Image source: Getty Images.

Zoom now offers 265 GCM transport encryption to all users, which means that the connection between the Zoom app and Zoom’s server is encrypted the same way the connection between your web browser and, say, this article is encrypted. In other words, when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it will not stay private from the company.

The company stated that it is working toward an end-to-end encryption add-on feature, but for a Zoom meeting to be end-to-end encrypted, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it. That is, Zoom itself would not have the technical ability to listen in on Zoom meetings — which is very important, if the users happen to be large organizations exchanging sensitive information.

Fortunately, Zoom has finally realized the importance of protecting user data. This growing tech stock has access to millions of people, and that number will continue climbing as Zoom’s paying customer base rapidly expands. Imagine, millions of potential hacking targets.

However, Zoom has adroitly turned its hacking scandals into a source of future business inspiration, opening up a world of new clients if it does eventually offer true end-to-end encryption. And with this improved approach to security, Zoom may eventually shine as a new leader in the video conferencing industry.


Christi

Give your business the attention it deserves with this marketing training

If you want to successfully grow your brand or business online, you need to have a thorough understanding of the tools and platforms that are used by true digital marketing pros, and the Complete Digital Marketing Growth Hacking Certification Bundle will get you up to speed for just $34.99 when you sign up today. This 9-course bundle…

If you want to successfully grow your brand or business online, you need to have a thorough understanding of the tools and platforms that are used by true digital marketing pros, and the Complete Digital Marketing Growth Hacking Certification Bundle will get you up to speed for just $34.99 when you sign up today.

This 9-course bundle comes packed with over 400 lessons that walk you through how to promote virtually anything on Facebook, Google, YouTube, and much more.

You’ll learn how to create engaging content, how to attract new users to your pages using organic marketing techniques, how to analyze data in order to make better business decisions, how to use keywords in order to climb to the top of search rankings, and more—all through lessons that are easy to follow regardless of your experience level.

Take your brand or business to the next level with the Complete Digital Marketing Growth Hacking Certification Bundle for just $34.99—over 95% off its usual price for a limited time.

Prices are subject to change.

The Case For “Bio Hacking” Your Way To A More Meaningful And Enjoyable Life

getty Earlier this summer, I had the opportunity to attend 40 Years of Zen in Seattle, Washington. The five-day Master Program is designed to bring participants the benefits of forty years of advanced Zen meditation to raise intellectual and emotional intelligence, and creativity, increase productivity and decision making, and obtain clarity of mind. The end…

960x0 - The Case For “Bio Hacking” Your Way To A More Meaningful And Enjoyable Life

getty

Earlier this summer, I had the opportunity to attend 40 Years of Zen in Seattle, Washington. The five-day Master Program is designed to bring participants the benefits of forty years of advanced Zen meditation to raise intellectual and emotional intelligence, and creativity, increase productivity and decision making, and obtain clarity of mind. The end goal is to experience more happiness, better relationships and an upgraded life. In short, it teaches you how to hack your brain to maximize the impact you can have on all areas of your own life.

While hacking your brain may sound a little wacky at first, the five-day program of neuro and biofeedback is really about improving blood flow to the brain, which is a great defense against dementia and Alzheimer’s, and a number of other ailments. It also contributes significantly to creativity, which influences problem solving and many other skills we use in our daily lives.

While the brain is a “globular organ,” rather than a muscle, you still need to exercise it to keep it healthy and functioning. Otherwise, similar to our muscles, it will atrophy and diminish over time. The opposite is also true. When exercised, the brain can be strengthened, and the mind expanded. And for both our brains and our muscles, improved blood flow is key to how well they function.

How do you hack your brain?

Good question. Hacking the brain requires achieving a certain state called alpha, and sometimes gamma. To get there, you have to deal with real life issues and personal challenges, which actually turns out to be a bonus. Not only are you facilitating personal growth, but you’re dealing with a lot of baggage you’ve been carrying around at the same time.

For example, one of my favorite exercises focused on “good versus bad.” The challenge here was to look at some of the toughest things that have happened in our lives and examine “what was the gift?” What did we learn about ourselves or others from that experience? This exercise teaches us that even our worst experiences provide gifts.

What’s the worst that can happen?

A similar exercise examined “worst case” scenarios. That involved meditating and evaluating a particular problem or issue—something you’re afraid of—and determining what’s the absolute worst thing that can happen? I was a little skeptical about this one because the worst case rarely ever happens. However, the challenge, again, was to determine “what’s the gift?” It turns out that this is a really powerful exercise in freeing yourself to live a life without fear—one that is limitless, where you can do anything you set your mind to achieve.

I encourage you to take some time in the days ahead and write down several things that happened to you that you initially perceived as being bad and find the gift in them. You may surprise yourself.

The CEO of you

Another favorite exercise was examining the many ways we show up in life. Did you ever stop to realize that you’re the CEO of you? What I mean by this is that each of us is responsible for managing the myriad of different dynamics and personalities that exist within each of us—all of the different manifestations of our “selves.” For example, when I listed mine, I had 12 dimensions of “Ron.” These ranged from the no-filter Ron, to the wilderness Ron, philanthropist Ron, and sometimes the workaholic Ron, to name a few.

I also added something that wasn’t actually part of the exercise. I went through and listed the “Rons” that I wanted to be in order of priority, from 1 to 12. Initially, I wanted to focus on the top three Rons on my list, but when I looked at it, I expanded it to the top five. So I decided my top three would be my primary focus and the next two would be my secondary focus. However, I also wanted to focus on the dimension at the very bottom of my list—the Ron I least wanted to be. I thought it was just as important to understand how I improve on that version of Ron. For those of you who know me, you won’t be surprised to learn that the “no filter Ron” secured the number 12 slot. (My facilitator was much kinder, referring to this Ron as a “raw truth giver.”)

The goal here was to focus on the things that are really important to you, the things at the top of your list, to make them stronger. But you also don’t want to ignore your weaknesses—the things you like least about the way you show up. You want to improve those as well.

Don’t forget to “Bio Hack” into your finances

After going through these exercises, I realized that there’s good and bad in almost everything that occurs in our lives, and it’s up to us—and our attitudes—whether we pull the good or the bad from each experience. It’s not like one person is blessed with lots of “good” and another simply encounters lots of “bad” in life. Our attitudes are often what determines good from bad in the first place. The same can be said about our finances. Most of us are going to go through rough patches. As we weather the current storm (the economy during a pandemic), we have to remember to hack our brains a bit. This can mean evaluating our finances on a more regular basis, creating or building on an emergency fund, or meeting for the first time with a financial advisor.

Spending time finding Zen may expand the way you think about your personal investments. If you have challenges, I encourage you to dive in and understand why. If it’s hard to get started, check out these 12 tips.  

The six or eight inches between our ears is what really matters and drives everything we are and can be in life. I urge you to avail yourself of the latest technologies, keep your mindset and finances in check and become aware of the knowledge that’s available to all of us, like hiring an advisor, to “bio hack” ourselves to have more meaningful, fruitful and enjoyable lives. You’ll be glad you did!

Grow your audience by mastering the many facets of digital marketing

Daily DealsTop stories This massive bundle of lessons will teach you how to connect your brand or products with the widest possible audience. Photo: Cult of Mac Deals Marketing moved online long ago, and every week that goes by, it becomes more fundamental to the ways we buy and sell. Facebook, YouTube, Google and Amazon…

Marketing Lifestyle 1536x768 - Grow your audience by mastering the many facets of digital marketing
This massive bundle of lessons will teach you how to connect your brand or products with the widest possible audience.
Photo: Cult of Mac Deals

Marketing moved online long ago, and every week that goes by, it becomes more fundamental to the ways we buy and sell. Facebook, YouTube, Google and Amazon have become the core of our modern economy. So if you’ve got a product, brand or anything else you want to connect with customers or audiences, you’ve got to learn the ins and outs of digital marketing.

The Complete Digital Marketing Growth Hacking Certification Bundle is a massive resource of information and insight into online marketing. With nine courses comprising more than 400 lessons, it’s got something for even the most online-savvy people to learn.

Get the scoop on how to  effectively use Facebook to establish your presence so people can connect with what you’re offering. Master Google Tag Manager so you can manage multiple analytics and marketing tags from a single dashboard. Get a deep understanding of growth techniques to boost your conversion rate. Learn the strategies for increasing fans, engagement, and reach on YouTube.

With these lessons, you’ll dial in your SEO, master Amazon FBA and get acquainted with plenty of other abbreviations that you might not recognize now, but you’ll be deeply familiar by the end of these courses.

Buy now: Get the Complete Digital Marketing Growth Hacking Certification Bundle for $34.99. That’s a massive 97% off the usual price.

Builders who will thrive in the new world

As the global pandemic leaves us frozen in place, it’s impossible to imagine a future that resembles the past. There will be no return to normalcy. Instead, we’ll need to create a new reality that’s resilient, anti-fragile and grounded in flexible, empathetic values as we re-enter the physical world with a new perspective. COVID-19 has underscored…

As the global pandemic leaves us frozen in place, it’s impossible to imagine a future that resembles the past. There will be no return to normalcy. Instead, we’ll need to create a new reality that’s resilient, anti-fragile and grounded in flexible, empathetic values as we re-enter the physical world with a new perspective. 

COVID-19 has underscored the importance of individual contribution — to flatten the curve, to navigate the new normal and to build the future. The need to build infrastructure, institutions, products, processes and ultimately new possibilities for both work and life.

Who are the creators, founders, and forgers who will build the new world?

- Builders who will thrive in the new world

With the proliferation of open-source, no-code/creators tools and new professional networks, the builders who will thrive in the new world will not only ‘think different’, but look and build different.

The 6 types of builders who will thrive in the new world: 

  • The Designers who Code

  • The Career Jumpers 

  • The Ambitious Advisors 

  • The Creative Hackers 

  • The Industry Academics

  • The Community Builders

  • The Couples who join forces

When we combine technical excellence with opinionated design, we arrive at the designers who can code. Shipping an MVP and iterating based on user feedback is the default for startups; committing to a creative vision and marrying art with technical acumen and user-informed, but not dictated, features has created multiple $2B+ category leading companies: Figma, Notion to name a few. 

- Builders who will thrive in the new world

In circumventing the debate of whether design-led companies can achieve both creative and technical excellence or whether designers should code , we can observe the transformative tools that are built when they can code. 

A design-led founder to the core, Ivan Zhao is building Notion for a “post-file, post-MS Office world”. They’ve adopted a design process that’s quick and iterative by hiring designers who can code: “All designers at Notion can [code]…we love solving problems holistically.” In building tools for thought, Notion is helping people craft conceptual frameworks for life and work, solve harder problems collaboratively, and hack on ideas without writing code. 

- Builders who will thrive in the new world

Informal polling suggests that the majority of designers push or write code at least sometimes. We’ll increasingly see technical designers found companies that bring design-thinking to new products; Rahul Vohra’s experience as a game designer informed the game-like experience of Superhuman

Technical designers bring aesthetics to computing and create products that draw people in and keep them engaged in a thoughtful and inherently more intuitive way.  

The best builders rarely stay in their lane. Instead, they find new opportunities to cross-pollinate their learning across different problems, roles, and industries. I call this triple threat mentality, it’s balancing multiple careers or creative projects that reflect multi-dimensional skills, interests and values.

The career jumpers collect and synthesize the expertise and skills they’ve gained across sectors into new insights, moving from law to biometrics or publishing to technology. Or Tech Twitter’s favorite: tech journalism to venture capital. 

This week, Josh Constine announced he will be leaving TechCrunch to join SignalFire as Principal and Head of Content. He’ll be in good company as fellow journalists turned venture capitalists include: Kim-Mai Cutler, Alexia Bonatsos, Katherine Boyle

For readers outside of the Silicon Valley tech bubble, Peloton’s Robin Arzon, a head instructor who brings unapologetic swagger to her guided rides, continues to be my go-to example for the determined career jumper. She’s Peloton’s VP of Fitness Programming, an Adidas brand ambassador, and the author of Shut Up and Run.

- Builders who will thrive in the new world

She began her career as a lawyer and spent seven years as a corporate litigator. She opted out of the partner track at her law firm and went all-in on a career in fitness. Her contributions to the Peloton brand are invaluable; the company’s S-1 filing reveals how crucial instructors have been in building Peloton into a fitness juggernaut with over 1.4 million members: 

If we are unable to attract and retain high-quality fitness instructors, we may not be able to generate interesting and attractive content for our classes.

On a platform where riders get attached to their favorite instructors, Arzon’s unlikely career jump from law to fitness and her six year tenure at Peloton has no doubt had an impact on the company’s $8.1 Billion valuation.

Likewise, after finishing her Law and Business degree, Margaret Zhang saw opportunity beyond a traditional path. She dove deep into digital media in 2009 when she started her blog, now with over a million followers. Since then, she’s worked in the fashion industry as a multi-hyphenate: filmmaker, photographer, consultant, and writer.

- Builders who will thrive in the new world

She co-founded BACKGROUND, a global consultancy with a focus on connecting Western and Chinese for luxury and lifestyle brands. She’s worked with companies like Chanel, Gucci, and Louis Vuitton. Cultural builders like Zhang –– crafting content, capturing snapshots, filming stories –– have the world’s ear and frequently use their platforms to creatively bring attention to issues like sustainability and environmentalism.

Another class of career jumpers includes the hourly hustlers: often gig workers who channel their tenacity and grit into quickly earning lucrative skills online and finding new ways to make money. For instance, this includes Uber drivers turned no-code website developers. These experience meaningful upward mobility that comes from being entirely self-taught. 

- Builders who will thrive in the new world

@HarryStebbings recent tweet

The career jumpers are skilled in the art of the pivot and make strong founders because they’re flexible and adapt quickly to new challenges. It’s easy to confuse their next move with starting from scratch. In reality, they’re simply plotting a continuation, treating their careers as a jungle gym rather than a ladder. They blend together the expertise and skills they garner along the way to craft innovative products and businesses.

Advisors, agencies and freelance executives have a unique upper-hand: access. 

In creating a personal service offering and working across a number of companies, they have a front-row seat to the problems faced inside companies and an iterative playbook for ways to solve them. What’s different from the ambitious advisors from career consultants at major firms is their operating experience inside tech companies and their ability to smoothly transition between full time roles + advising on evenings and weekends to full-time advising, and in some building a venture scale software company using services to bootstrap their way to product market fit. 

Before founding the Internet Archive and Alexa, Brewster Kahle worked at Thinking Machines which built and sold software. However, the company also provided consulting services that allowed them to work with publishing giants, like the Wall Street Journal and Encyclopedia Britannica. Kahle shared his experience in Founders at Work:

We started what I think became the first web studio, or web services business. We worked with big players, whether they were newspapers or magazines, that wanted to publish on the Net. This allowed us to work with big boys very early on.

We continue to see ambitious people in tech consulting and advising companies. Prior to co-founding Oxide Computer Company, Jess Frazelle consulted on technical specialties like containers and Linux architecture. A sought after designer, Pablo Stanley, has a full time role as a Design Lead at InVision, uses Superpeer to make extra money by offering 1:1 advice calls for a flat fee for his followers and designer friends, and recently started Blush to bring illustrations to everyone. 

- Builders who will thrive in the new world

In the case of emerging tech sectors like JamStack, we see a large percentage of founders come from an agency background where building web projects for clients leads to a unique insight on ways to improve the software development process for others. Stackbit and TakeShape are two recent venture-backed examples.  

The creative hackers win friends, influence people, and break the internet. They find ways to bring products and experiences to life without writing code. Instead, they dream up big projects and forge partnerships to bring them to fruition or build with flexible no-code tools. 

In the midst of the current pandemic, creative hackers are finding ways to end social isolation and bring people together online. 

it is what it is.

👁👄👁

Marco Marandiz, the co-founder and Head of Marketing at Elliot, launched Virtual Mall, a collaborative spreadsheet for people to interact with their favorite brands. 

- Builders who will thrive in the new world

Ani Acopian, Suzy Shinn, and @Scott Buscemi teamed up with an unlikely partner to create scrubhub.tv, a parody hand washing video site, to raise money for non-profit organizations helping people affected by COVID-19. Those showing resilience and creativity in tough times are the makers we’ll continue to see break new ground.

- Builders who will thrive in the new world

I recently took a shot at creative hacking by building Stay at Home Valley in Figma, an interactive space where anyone can build, celebrate good news and make new friends.

- Builders who will thrive in the new world

In less than 12 hours, 

  • 200 startup offices and points of interest: Dropbox, Instagram, Webflow, Salesforce Tower

  • The community “re-opened” their favorite local businesses: Boba Guys re-opened across the city, local climbing gyms and favorite trendy date spots 

  • Notion announced $50M round at $2B valuation from Index Ventures’ Sarah Cannon seen leaving the office, Cristina Cordova joined from Stripe as Head of Platform & Partnership. You’ll find shoes outside the office, a nod to Notion’s no shoes allowed culture. 

In the case of Stay at Home Valley, we didn’t quite break the Internet although we saw Dreamforce-level traffic for two straight weeks in a single Figma file.

- Builders who will thrive in the new world

Academia is losing its luster as a career track. Tenure is increasingly difficult to obtain, particularly for women who opt for marriage and kids. Subject matter experts passionate about their expertise are corralled into administrative duties that distract from making breakthroughs in their field. Those who stay often cite the same challenges: meagre pay, time consuming grant applications, and institutional politics.

Academics are finding new homes. Companies like DeepMind and OpenAI recruit research scientists with PhDs to solve complex challenges in artificial intelligence. We also see academics infiltrating marketing and growth teams at companies like Airbnb and Slack as data scientists or venture capital firms as research fellows or scientists-in-residence. Academics are in a unique position to merge their deep expertise with industry experience to become innovative founders. 

Others in higher learning are taking their teaching experience and leveraging it into ideas for startups. Melanie Perkins, the founder and CEO of Canva, created the design platform after combining the lessons from two phases in her career: teaching students how to use Adobe design tools and starting Fusion Books, a company that published yearbooks online. 

- Builders who will thrive in the new world

Teaching design at The University of Western Australia helped her realize that photoshop was arduous to learn and prohibitively expensive, while starting her company was an education in the power of low-code tools and how to run a business. Perkins’ following act, Canva, was most recently valued at $3.2 Billion and allows millions of people to design simply and inexpensively.

We need innovative products and services to shift the world towards progress. We also need movements. The Community Builders build platforms that help other companies start their own businesses.  

Tobias Lütke has built Shopify into a business that supports over 1 Million online storefronts. They’ve experienced rapid growth by empowering small and large business owners; Lütke revealed in 2019 that Shopify passed the $1 Billion dollar revenue mark with the highest growth rate of any SaaS company ever. Shopify isn’t only a platform for sellers, it’s also a platform for tech builders. Gorgias, a help desk for e-commerce stores, is the first customer service app built for Shopify and a venture-backed startup. 

- Builders who will thrive in the new world

The community builders frequently angel invest in the next generation of companies in their category and bring a high level of transparency to educate founders and support individual creators. 

Ankur Nagpal, the Founder and CEO of Teachable, is an active angel investor who shares metrics, open-sources investor updates and continues to mentor Teachable employees even after they’ve moved onto their next thing. 

- Builders who will thrive in the new world

Teachable’s entrepreneurial culture has already led to Sid Yadav and Andrew Guttormsen creating Circle, a community platform for creators. 

Matt Biilmann, the co-founder and CEO of Netlify, is another example of an active community builder who has invested in a number of developer tools including social network for software engineers Dev.to, CodeSandbox, headless CMS TakeShape

Community builders are natural company builders. They value thoughtful curation and quality; they eschew the attitude of growth at all costs. As founders, they’re natural evangelists who invest in user education and steadily increase revenue.

A less obvious benefit of the new era of flexible, work from wherever you want, culture is the fact that couples are spending a lot more time together.

With no commute and fewer after work obligations, couples are working collaboratively from home and finding new hobbies and ways to team up professionally.

Couples who join forces is not entirely new, Schmidt’s Natural founder Jaime Schmidt built a nine-figure business with her husband Chris Cantino from their kitchen in Portland and exited to Unilever in 2017.

Today, the couple invests in startups through their founder-friendly firm Color Capital while building their next act Supermaker, a modern media company to help anyone start their own business from home.

- Builders who will thrive in the new world

I recently joined James Beshara’s Below the Line podcast to discuss the limitations of pattern matching, a simple approach used by VCs, who see hundreds of companies a year and naturally evaluate startups and entrepreneurs based on what has worked before.

As an early investor in Haus, I’ve seen first hand what happens when a multi-generational wine maker and notable creative director (who happen to be married) team up.

- Builders who will thrive in the new world

A preview of what’s to come

I started a modern VC fund to reimagine work alongside thoughtful founders building new opportunities for creators, designers, developers, and individuals who use technology to launch a new business or be better at work.

- Builders who will thrive in the new world

The vision for WLV was developed alongside my early angel investments in Webflow, Dev.to, LunchClub, Girlboss and others. I’ve learned from community builders and invested in them from the very beginning.   

What I love most about WLV is our community of designers, developers and amazing authentic creators like serial creative founder Sophia Amoruso, Instagram poet Rupi Kaur, streetwear founder Bobby Hundreds, law student turned influencer and creative director Margaret Zhang, and my investors who have built the world’s greatest platforms that started as entertainment and creative outlets and scaled into platforms for new classes of work like Spotify, Twitch, Zoom.

We ‘think different’ and ‘look different’ by design.

Last week, we released our new brand and we’ll continue to share fund updates on Twitter, interview creators on Instagram and as always, I’d love to hear your thoughts and comments on this post. Say 👋 on Twitter

- Builders who will thrive in the new world

@WorkLifeVC on Insta

The best Dutch growth hacking examples

These Dutch companies have achieved exponential growth by applying one or more of the seven pillars of growth hacking. In this article we for example discuss examples like Booking.com, BALR. and Charlie Temple. Are you interested to learn how these companies achieved their growth? Then there’s no doubt you should check out our article!

These Dutch companies have achieved exponential growth by applying one or more of the seven pillars of growth hacking.

In this article we for example discuss examples like Booking.com, BALR. and Charlie Temple.

Are you interested to learn how these companies achieved their growth? Then there’s no doubt you should check out our article!

3 Growth Hacking Examples You Can Leverage In Your Business

Let’s dive deeper and look at real businesses that have used growth hacking and launched themselves into massively successful companies. Along with these business examples, we’ll look at key strategies to help you come up with your own growth strategy.

Growth hacking is a term that’s often associated with young startups that grow explosively. It’s starkly opposite to the traditional modes through which businesses grow, taking things step by step, and minimizing risk.

Today, growth hacking or growth marketing holds a positive and meaningful connotation for digital marketers. Although the term ‘hacking’ hints at ‘grey’ marketing methods, there’s reliable data and an ethical approach behind it. Done correctly, growth hacking will help you grow your business fast and with long-term positive outcomes.

Here’s what growth hacking involves:

  • Experimentation: A growth hacker or marketer approaches marketing strategies with an experimental mindset, ready to try new and untested techniques
  • Testing: While experimenting, you make sure to test your marketing strategies on different audiences. A/B split testing and other testing methods form important aspects of your marketing
  • Analytics matter: You’re looking for data, generating reports, and identifying patterns or techniques that work
  • Leveraging what works: Once you see something that gives you good results, you immediately start scaling it up to a larger audience. It’s vital to continue using your analytics to keep track of your marketing and to fine-tune your strategies wherever necessary

Let’s dive deeper and look at real businesses that have used growth hacking and launched themselves into massively successful companies. Along with these business examples, we’ll look at key strategies to help you come up with your own growth strategy.

Growth hacking in action

Here are some growth hacking strategies together with examples of brands that experienced explosive growth using them. Use them as ideas for your own marketing efforts.

Invite-based marketing strategies

The mobile brand OnePlus is a well-known example of growth hacking. With a limited marketing budget, it had to use outrageous and interesting marketing techniques to get attention.

One of its best (and simultaneously disliked) strategies was to sell the product through an invite-only method. At one point, a person would be able to buy the phone only when an invite trickled down to them.

This created a feeling of exclusivity and gave users the feeling that they had a certain status by being in the ‘in’ group.

Another method that OnePlus used was to create a buzz on social media with a ‘Smash the Past’ campaign. People who took videos of themselves smashing their old phones stood a chance to buy the new OnePlus mobile for $1.

These methods were unusual but they certainly caught the world’s attention which led to them becoming a major brand.

Gamifying customer referrals

Gamification is applying gaming mechanisms to marketing activities. Every time your audience or lead hits a goal that you set, it creates positive feedback which makes them want to do more with your brand.

Dropbox used this technique to get users to refer it to their peers. It gamified its onboarding process by giving users free storage for doing certain things:

  • Linking their Dropbox account to Facebook and Twitter
  • Sharing Dropbox-related statuses to social media
  • Following Dropbox on Twitter
  • Referring the platform to other users

Soon enough, Dropbox grew at a rapid pace and today, it has over 14.3 million paid users and more than 500 million users overall.

dropbox 600x339 - 3 Growth Hacking Examples You Can Leverage In Your Business
Dropbox grew rapidly by gamifying various tasks

Exclusive membership sites

Membership sites offer gated content exclusively to users who have signed up with the site. Building a membership site allows you to nurture and grow an invested community that cares about what you have to offer.

There’s a brilliant example in the work of financial advisor Tiffany Aliche with her brand ‘The Budgetnista’. According to this entrepreneur, there are a few key ways to grow your business fast. Let’s look at the examples of her own work to see how a membership site can be leveraged to boost engagement and conversions on your own site.

  • Create a rallying point: Tiffany Aliche started the Live Richer Challenge to help 10,000 women take control of their finances. In five weeks, her community paid off $400,00 in debt and collectively saved $3.5 million
  • Give away content for free: Tiffany says that she gave away at least half of her advice and content for free to grow her audience. This helps you build trust and a relationship and then your audience is more willing to buy from you
  • Engage with your audience: A huge part of The Budgetnista’s success comes from listening to the audience. Tiffany frequently holds webinars and other activities to engage with people, give advice, and listen

She also encourages businesses to build email lists to connect with people over time. You’ll remind your audience that you can help them. And of course, you need to provide valuable and helpful content that’s authentic.

Over to you

Growth hacking is another approach to marketing that helps you find ways to grow your business faster. To use this approach, you need to have an experimental mindset and the willingness to try something new.

We’ve covered three helpful strategies and examples of businesses that used them. You can also leverage FOMO (the fear of missing out) and social media to meet your goals fast. The main idea is to keep trying and testing marketing strategies. Look at what works and then apply it on a larger scale. With this mindset, you’ll leverage analytics tools and find unique ways to grow your business fast.


These Online Classes Help You Master Essential Digital Marketing Skills

Partner content by StackCommerceAccording to HubSpot, digital marketing encompasses all marketing efforts that use an electronic device or the internet. In other words, it’s how companies use digital channels, such as search engines, social media, email, and websites, to connect with their current and future customers.Most businesses today use some digital marketing to get the…

sale 32420 article image.jpg?width=640&fit=bounds&height=480&quality=20&dpr=0 - These Online Classes Help You Master Essential Digital Marketing SkillsPartner content by StackCommerceAccording to HubSpot, digital marketing encompasses all marketing efforts that use an electronic device or the internet. In other words, it’s how companies use digital channels, such as search engines, social media, email, and websites, to connect with their current and future customers.

Most businesses today use some digital marketing to get the word out about the product or service they offer customers, which has created a high demand for digital marketers. So, if you’re looking to land a new job soon or simply want to enhance the work you already do, now’s a great time to learn the ins and outs of digital marketing.

The Complete Digital Marketing Growth Hacking Certification Bundle teaches you how to create, promote, and convert with 40+ hours of instructional marketing content on Facebook, YouTube, Google, Amazon, and more. Pick up the bundle on sale today for $34.99, which is more than 90% off its regular price tag.

Certified Facebook Marketing 2020 (Complete Masterclass)

Facebook marketing isn’t easy. That’s why this course gives you straightforward step-by-step strategies for successfully marketing any company on Facebook, the social media platform with over 2.6 billion monthly active users. This course starts with the very basics of creating professional Facebook profiles and then progresses to proven tips and tricks for Facebook marketing. Meaning, you’ll learn how to reach your target customers through Facebook, use paid ads effectively, create a massive community around your brand’s story, and so much more.

Google Tag Manager: Crash Course

Google Tag Manager is a free tool that allows you to manage all your website tags without editing code. Throughout this course, you’ll learn more about Google Tag Manager and how to use its features, from a novice level to that of an expert. Even better, you’ll have the opportunity to test your newfound knowledge and skills by completing a set of included challenges.

The 2020 Complete Growth Hacking & Conversion Course

One area of digital marketing that is all the rage these days is growth hacking. This course teaches you plenty of different growth hacking strategies that are proven to work, from writing compelling copy that grabs users’ attention to how to create high-converting landing pages with irresistible CTA buttons. By the time you finish this course, you’ll know how to increase the conversion rate of your online presence by up to five times.

Go Viral on YouTube

YouTube is the second most popular social media platform behind Facebook, with over 1.9 billion monthly active users. So, it’s safe to say that if you go viral on YouTube, you’ll attract plenty of customers to a business. Throughout this course, you’ll learn over 100 unique methods for increasing fan engagement, brand awareness, and profits on YouTube. Meaning, you’ll learn how to improve your SEO and search results ranking on the platform, discover how to turn YouTube videos into profitable leads, and optimize your posts for maximum engagement.

30 Actionable Branding Strategies That Will Triple Your Profit

Knowing how to brand correctly and effectively is a must for any business. As such, you’ll learn 30 unique tactics on advertising, promotions, building credibility with your target audience, and more as part of your branding training. This course even lands you access to an exclusive interview with billionaire Lynda Resnick, founder of POM and Fiji Water, who provides you with marketing insights from decades of business experience.

The 2020 SEO Link Building Course

Search Engine Optimization (SEO) is the process by which companies and individuals optimize their websites so that search engines like Google will rank them higher in searches conducted by customers online. Unlike paid advertisements, SEO offers companies a free outlet for getting their information in front of the right people at the right time. As such, it’s become an increasingly important component of any company’s digital marketing efforts. This course teaches you everything you need to know about SEO and is updated regularly, which means you’ll always have the latest information about SEO best practices.

Complete Guide to YouTube Channel & YouTube Masterclass 2020

This course expands upon what you learn in the other YouTube course included in this bundle. It focuses on helping you build a YouTube channel with time-tested strategies that will make it easier to get more subscribers and scale your channel. On top of all that, it has incredible user reviews a 4.8/5 star rating from 48,243 students enrolled in the course speaks to the quality of the instruction contained within it.

Complete Guide to Pinterest & Pinterest Growth 2020

Pinterest is another popular social media platform, and this course guides you from creating an account to growing your profile views with four hours of instructional content. Throughout this course, you’ll learn how to drive more traffic to your Pinterest account and drastically increase your Pinterest monthly views with a weekly routine that’s proven to help individuals and companies achieve incredible growth.

Amazon FBA Course 2020

Last but not least, this bundle guides you through how to work with Amazon Fulfillment by Amazon (FBA). Amazon FBA is a service provided by Amazon that provides storage, packaging, and shipping assistance to sellers around the world. In other words, if you or the company you work for sells a physical product online, Amazon FBA may enter the picture. This course covers both marketing and promoting with Amazon FBA, as well as other essential Amazon FBA skills, including how best to list products online to get them to sell in the first place.

Overall, The Complete Digital Marketing Growth Hacking Certification Bundle teaches you essential digital marketing and growth hacking skills for leading tech and business platforms. Grab the bundle on sale today for only $34.99.

Develop in-demand digital marketing skills with the help of these training classes

It’s tempting for many young professionals to assume that because they’ve spent most of their lives posting links to Facebook or pushing selfies to Instagram that they have the skills needed to be a digital marketer. Creating compelling content is certainly important, but if you’re not up to speed on search engine optimization (SEO), how…

It’s tempting for many young professionals to assume that because they’ve spent most of their lives posting links to Facebook or pushing selfies to Instagram that they have the skills needed to be a digital marketer.

Creating compelling content is certainly important, but if you’re not up to speed on search engine optimization (SEO), how to understand YouTube metrics, or the importance of on-point tagging, you’re a long way from ready to assemble your own digital plan.

But with the training in The Complete Digital Marketing Growth Hacking Certification Bundle, you’ll get a full overview of what it really takes to succeed across the web from social postings to paid ads to basic sales tactics that can make all the difference in how your product plays online.

The nine-course collection with more than 40 hours of marketing dos and don’ts can start getting you conversant in all the varied platforms available across the web for driving sales, what the impact of each means, and how to determine what’s working and what isn’t in your online efforts.

It all starts with The 2020 Complete Growth Hacking and Conversion Course, a 130-lecture collection that offers the inside tricks of the trade for successfully building your brand. The training includes ways to charge your growth and conversion rates up to 5 times higher, cultivate subscribers, generate solid business leads, and craft winning copy to perfectly execute your product message.

Speaking of your product message, the 30 Actionable Branding Strategies That Will Triple Your Profit are just the well-defined, easy-to-follow steps you can use today to help carve out a smart and successful identity for your brand.

Since most business is generated straight from Google searches, the tandem of The 2020 SEO Link Building Course and the Google Tag Manager Crash Course present insights into how to rank at the top of those all-important searches. Students learn how to optimize every post or page of a site for Google algorithms and how Google Tag Manager can present data-driven facts you can use to make smarter business decisions.

Four more courses delve into best practices for reaching specific audiences across different social media platforms, from the basics of creating professional Facebook profiles (Certified Facebook Marketing 2020) to beginner to advanced tips for video growth on YouTube (Complete Guide to YouTube Channel and YouTube Masterclass 2020 and Go Viral on YouTube) to impact a stealthy beachhead on Pinterest can have on your digital plans (Complete Guide to Pinterest & Pinterest Growth 2020).

There’s even an Amazon FBA Course 2020 with everything you need to know to set up an Amazon FBA storefront, why 99 percent of Amazon businesses fail, and what you can do to be among the surviving 1 percent.

A nearly $1,700 package of training, this deep dive into all things digital marketing are on sale now for only $34.99.

Prices are subject to change.

Do you have your stay-at-home essentials? Here are some you may have missed.

Teardown: Orthofix SpinalStim

If you’ve ever had a particularly nasty fracture, your doctor may have prescribed the use of an electronic bone growth stimulator. These wearable devices produce a pulsed electromagnetic field around the bone, which has been shown to speed up the natural healing process in a statistically significant number of patients. That’s not to say there…

If you’ve ever had a particularly nasty fracture, your doctor may have prescribed the use of an electronic bone growth stimulator. These wearable devices produce a pulsed electromagnetic field around the bone, which has been shown to speed up the natural healing process in a statistically significant number of patients. That’s not to say there isn’t a debate about how effective they actually are, but studies haven’t shown any downsides to the therapy, so it’s worth trying at least.

spinalstim manual - Teardown: Orthofix SpinalStim
Image from SpinalStim manual.

When you receive one of these devices, it will be programmed to only operate for a certain amount of time or number of sessions. Once you’ve “used up” the bone stimulator, it’s functionally worthless. As you might imagine, there’s no technical reason this has to be the case. The cynic would say the only reason these devices have an expiration date on them is because the manufacturer wants to keep them from hitting the second hand market, but such a debate is perhaps outside the scope of these pages.

The Orthofix SpinalStim you’re seeing here was given to me by a friend after their doctor said the therapy could be cut short. This provided a somewhat rare opportunity to observe the device before it deactivated itself, which I’d hoped would let me take a closer look at how it actually operated.

As you’ll soon see, things unfortunately didn’t work out that way. But that doesn’t mean the effort was fruitless, and there may yet be hope for hacking these devices should anyone feel like taking up the challenge.

Keeping it Simple

Since the SpinalStim is designed to produce an electromagnetic field around the spine, it’s not hard to guess that the foam-covered “back brace” contains some kind of coil. But being a high-tech medical device, you might imagine there’s some exotic materials or techniques involved. As it turns out, there isn’t.

spinalstim coil - Teardown: Orthofix SpinalStim

Cutting the foam lining away from the brace in an operation not entirely unlike gutting a fish, we can see there’s nothing very special going on here. It’s just a dozen or so loops of two conductor insulated wire that’s held together with, as far as I can tell, painter’s masking tape.

It’s not even like they made a neat coil; pulling the rest off the foam off, there are areas where the wires overlap a bit. I would have thought they’d use some kind of flexible loom to hold the wires in place, but apparently the foam of the brace itself was considered enough to keep the wires flat.

Taking a close look at the four pin connector that goes into the back of the control unit, we can see that the wires have actually been twisted together and crimped to both conductors in the yellow cable. The loop itself is connected to another identical arrangement located on the other side of the brace by a wire hidden in one of the straps that holds them together.

Taking Control

With construction techniques not far removed from a grade school science project, I’ll admit the coils were something of a letdown. But luckily the Control Unit is a bit more interesting. As the SpinalStim has no patient-accessible settings, this device is simplistic in the extreme: just a single button to turn it on and off and a USB-B port for charging. It does however have a rather nice LCD display that indicates the battery level and how much treatment time is left. The screen is even backlit, which seems somewhat unnecessary, but is perhaps beneficial for elderly users who might have trouble seeing the display otherwise.

Both inside and out, the Control Unit is much closer to what I was expecting from a medical device. It’s got considerable heft thanks to internal battery pack, and the thick enclosure with o-ring seals is really quite impressive. Between all the wire you can pull from the coils and this beefy electronics enclosure, there’s a surprising amount of salvage value in this device already.

spinalstim pcb - Teardown: Orthofix SpinalStim

On the reverse side of the PCB, we can see a few interesting details. Chief among them are the dedicated programming headers for the device’s STM32 microcontroller and nRF Bluetooth Low Energy chipset. We usually have to hunt around for useful debug or programming interfaces, so to see them not only labelled but actually populated with pins is really a treat. We can also see the backup battery used to keep the device’s internal timer ticking even if the primary battery dies, and a bank of capacitors that are likely used to build up a charge to fire through the coil.

Peeling the firmware release sticker off of the microcontroller reveals it to be the very common STM32F103, and removing the board’s RF shield uncovers another chip Hackaday readers will likely be familiar with, the nRF51822. The presence of these well documented chips certainly bodes well for any potential reverse engineering or repurposing of the device.

An Investigation Cut Short

At this point, I was hoping to get the Orthofix SpinalStim hooked up to the oscilloscope and take a look at what kind of signal it was passing through the coil, but it was not to be. After putting the Control Unit back together, I’m now immediately greeted with an angry beep and an error message.

spinalstim error - Teardown: Orthofix SpinalStim
Unblock me you coward.

Just like the VeriFone MX 925CTLS payment terminal we looked at last year, it would seem the SpinalStim is designed to “self-destruct” once it’s been opened. I didn’t notice any obvious triggers like we saw in the VeriFone, but I’m assuming when I disconnected the battery it was enough for the device to realize something was amiss. This is probably designed to prevent users from trying to reset the device’s internal counter, which seems to have been a problem on older bone stimulators.

While I’m disappointed the SpinalStim swallowed its cyanide pill rather than submit to further interrogation, the hardware uncovered in the Control Unit certainly looks ripe for further hacking. We’ve seen medical devices reverse engineered to unlock new capabilities in the past, and while there might not be a huge demand for a FOSS bone growth simulator firmware, it seems the possibility is there for anyone who wants to free these devices from their arbitrary limitations.

Learn how to succeed in digital marketing with these online classes

Products featured here are selected by our partners at StackCommerce.If you buy something through links on our site, Mashable may earn an affiliate commission. This marketing course bundle will teach you how to increase everything from your business revenue to your follower count. Image: pexels By StackCommerceMashable Shopping2020-08-07 09:00:00 UTC TL;DR: Learn to build your…

uploads%252Fcard%252Fimage%252F1402896%252F61bf2aee 1240 449a b366 fdc0bec37f1d.png%252Foriginal.png?signature=NeDQPmn hhR4DGUEgkZlp3rXd28=&source=https%3A%2F%2Fblueprint api production.s3.amazonaws - Learn how to succeed in digital marketing with these online classes

Products featured here are selected by our partners at StackCommerce.If you buy something through links on our site, Mashable may earn an affiliate commission.

lead img aug 7 digital marketing growth hacking certification sale - Learn how to succeed in digital marketing with these online classes
This marketing course bundle will teach you how to increase everything from your business revenue to your follower count.

Image: pexels

By StackCommerceMashable Shopping

TL;DR: Learn to build your online presence with the Complete Digital Marketing Growth Hacking Certification bundle for $34.99, a 97% savings as of Aug. 7. 


Contrary to what it seems, digital marketing goes way beyond posting on Facebook and getting listed in Google. If you’re going to succeed as a marketer in 2020, knowledge of search engine optimization (SEO), paid ads, and even SMS alerts should be on your résumé. These tools and techniques all help accomplish one common goal: being able to increase sales for your brand. If you’re committed to being at the top of your career game, the Complete Digital Marketing Growth Hacking Certification Bundle can get you up to speed and it will only cost you $34.99. 

This nine-part course is taught by some of the best in the business. Entrepreneur and marketing innovator Benjamin Wilson will kick things off, and later, marketing creative Matt Jensen is set to take charge along with a number of other top-rated instructors.

In total, the bundle features 41 hours of marketing lessons on Facebook, YouTube, Google, Amazon, and more. First up, you’ll begin with the Certified Facebook Marketing 2020 lesson, which offers a step-by-step guide to simple strategies for gaining targeted followers that will eventually lead to sales. Next, you’ll move onto a crash course on Google Tag Manager that covers its importance and exactly how to use it. 

Perhaps the most essential course is the Complete Growth Hacking and Conversion Course, which covers everything from optimizing CTAs to retargeting interested shoppers. If you’re serious about truly growing your online presence, you’ll need to take note of these strategies.

If you already know what strategies and platforms you want to target first, you may choose to skip around and tackle the Go Viral on YouTube hour-long lecture or the SEO link building course. There is even a full course on Pinterest marketing.

Finally, the Amazon FBA closes out the course package by outlining how you can start a business utilizing Amazon’s tools and make it successful — which many sellers fail to do. 

With nine courses in total, it’s no surprise that this bundle is worth over a grand in value. But you can go after your marketing dreams and snag access for just $34.99.

uploads%252Fcard%252Fimage%252F1438590%252Fedd81ccb 3bc8 49dc a813 93badc535c80.jpeg%252Ffull fit in  950x534.jpeg?signature=tZHFx22lF1tRvxu qzpMCM5Dwlo=&source=https%3A%2F%2Fblueprint api production.s3.amazonaws - Learn how to succeed in digital marketing with these online classes

Trump’s own intelligence officials contradict his repeated claims of mail-in voting fraud

Washington (CNN)US intelligence officials on Friday discounted the possibility of foreign countries mass producing fake ballots to interfere in the November elections, contradicting President Donald …

Washington (CNN)US intelligence officials on Friday discounted the possibility of foreign countries mass producing fake ballots to interfere in the November elections, contradicting President Donald …

US neobank Dave was hit with a data breach earlier this week

This story was delivered to Insider Intelligence Banking Briefing subscribers earlier this morning.Insider Intelligence publishes hundreds of research reports, charts, and forecasts on the Banking industry with the Banking Briefing. You can learn more about subscribing here.US-based neobank Dave was hit with a security breach earlier this week, ZDNet reports. According to the neobank, the breach…

US-based neobank Dave was hit with a security breach earlier this week, ZDNet reports. According to the neobank, the breach originated on the network of Waydev, an analytics platform it formerly partnered with, through which a malicious party reportedly gained unauthorized access to certain user data — including names, phone numbers, emails, birth dates, and home addresses — and is selling it on a hacking forum.

svg%3E - US neobank Dave was hit with a data breach earlier this week

Neobank Dave needs to continue differentiating itself from competitors.

Business Insider Intelligence


Breached data also includes users’ Social Security numbers and passwords — but the neobank says these details are encrypted. Dave said that there’s currently no evidence that suggests hackers used the data to gain access to user accounts and execute any unauthorized actions. The neobank notified customers of the incident and is carrying out an ongoing investigation.

A data breach could be particularly damaging to the neobank as it’s early on in its growth. Dave started as a personal finance management (PFM) platform — which counts 7 million users — and since expanded with the launch of Dave Banking, which it started rolling out to its 2 million-person waitlist in May.

The account offers $100 in overdraft coverage, with no interest rates regardless of credit score. It also boasts an account opening time of 2 minutes, and is intended to help younger consumers — its target audience — build credit by instantly reporting recurring payments like utilities and rent to major credit bureaus. But the neobank might need to continue differentiating: Chime, the largest US neobank, recently launched a Credit Builder Card to help users build a credit history.

Dave’s focus on customer needs could give it a niche in the neobank market — but a breach could lead customers to opt for a more established competitor. Data breaches can be extremely detrimental to customer trust — especially for neobanks, given their entirely digital structures.

Considering that Dave Banking is in its infancy compared with other US neobanks like Chime or Varo — Dave Banking presently counts 100,000 users and the neobank anticipates reaching 1 million by the end of the year, compared with Chime’s 8 million — transparency regarding cybersecurity with customer and those on its waitlist will be integral to ongoing retention and acquisition.

Want to read more stories like this one? Here’s how you can gain access:

  1. Join other Insider Intelligence clients who receive this Briefing, along with other Banking forecasts, briefings, charts, and research reports to their inboxes each day. >> Become a Client
  2. Explore related topics more in depth. >> Browse Our Coverage

Are you a current Insider Intelligence client? Log in here.