Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild?

Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? 

Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs?

Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? 

Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted?

Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started?

Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well?

Chris: thoughts on log4shell?