Bug bounty program have always been a love-hate thing for enterprise. Enterprises running bug bounty programs can discover their vulnerabilities through external information security researchers and manage the vulnerability disclosure process. However, at the same time, they suffer from incomplete experience or planning when running the program, which leads to many problems.

This seesion will start from the bounty hunter's own experience until joining a company to assist in handling and running the program. I will share the experience and difficulties from both sides and also cases of conflict and cooperation.

Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised.Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened.We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. In this talk , we will also share how we making an OT adversary emulation tool according to what we summarized and MITRE ICS matrix.