Skip to main content

BUG HUNT

I have recently organized a bug hunt in my company.
The point was to motivate testers for testing outside of the scope of their work.
Here are the general settings:
________________________________________________________________________________

TERMINOLOGY

Territory – application, system
Prey – bug, issue, problem, meaningful change request
Hunt – the event in which is are the bugs searched and reported in the particular application in a given time

ROLES

Old hunter
  • He is the most experienced Hunter in the particular territory
  • Tester who has not currently the role of the Hunter
  • He informs other Hunters about the application
  • He evaluates reports
Gatherer
  • He gathers the reports from Hunters
  • He anonymizes the reports and forwards them to the Old Hunter for evaluation
  • He will maybe provide reward for the Lead Hunter
Hunter
  • His role is to catch the prey
Lead Hunter
  • He will be known at the end of the hunt
  • He is the best among hunters, the chosen one
  • He will receive a big chunk of meat or something

RULES

  • You will be given access to the territory (application, system) by the Old Hunter
  • He will provide information about
    • Basic application logic, functionality, purpose
    • What not to look for
    • What to look for
    • Who to address bug reports
    • Known prey (bugs, issues)
  • You can always ask the Old Hunter about the territory, when you are not sure
  • Your goal is to find the prey (bugs, issues, defects, problems etc.)
  • You can also suggest meaningful changes
  • When to hunt? Whenever you want. You can spend the whole week looking for a prey, or you can avoid hunting and eat grassJ
  • You will report everything to a gatherer, who will sent it anonymously to the Old Hunter for evaluation
Every prey is evaluated and given a value (0-5 meat points) by the Old hunter
  • Prey is evaluated firstly according to its size (significance, severity, priority)
  • More points are given to the Hunter who catches the prey as first
  • Points will devaluate if many Hunters catch this particular prey
  • Points are given also according to the quality of hunt report – simplicity, accuracy, clear, reproducible
  • Hunters should not share information about the prey – but this is only an recommendation
  • Duration of the hunt is restricted to a week, till enough prey is caught, or till one Lead Hunter (most points) is clear

LET THE HUNT BEGIN


________________________________________________________________________________

Comments

Popular posts from this blog

Testing impact on security

... or the impact when testing is lacking?

Security breaches, hacks, exploits, major ransomware attacks - their frequency
seem to increase recently. These can result in financial, credibility and data
loss, and increasingly the endangerment of human lives.

I don't want to propose that testing will always prevent these situations.
There were probably testers present (and I'm sure often also security testers) when
such systems were created. I think that there was simply a general lack of
risk-awareness on these projects.

There are many tools and techniques from  a pure technical point of view to harden the software in security context. Some of them have automated scans which crawl through your website and might discover the low hanging fruits of security weaknesses (ZAP, Burpsuite...), without much technical knowledge from the person operating it. The more important aspect is however the mindset with which you approach the product. The tester is often the first person to discov…

Cynefin beginnings

Cynefin was on my radar ever since I joined The House. It seemed an interesting idea worthy of further pursuit, therefore I decided to visit a training on this topic in London this April.



My first thought was  "What I'm doing here?!" - the other attendees were a mix of scrum masters, project managers and similar sort, which was actually to be expected. Cynefin is a decision-making framework which seems to be applicable mainly in management, but my firm belief is that testing can benefit from it equally.
My goal was, however, to find out more about Cynefin and how to apply it to my work as a software tester. I expect it will take some time to my thoughts on this fully settle and I get the whole picture from this training. My colleagues got already some very good insights from cynefin, my goal is to follow this path. The purpose of this blog is to summarize my thoughts on this so I can revisit later in my life and maybe see how much my understanding changed.

Finding out in…

Kali Linux 101

Linux was always a bit too 'geeky' thing for me. My recent time on bench provided me however with time and motivation to go into this "terra incognita".
The intention was originally to learn some foundations of security testing. After a while I discovered that Kali Linux could provide also benefits for the everyday testing routine. Following is a simple set of tools that will support and enhance your testing.
whatweb Whatweb is a web scanner which provides information about the technologies used on the website, mail addresses found and many more
Example (type into terminal in Kali Linux): whatweb 0-v https://www.houseoftest.rocks/


whois  Provides domain and legal information about the target website (where is it registered, owner, address, etc.)
Example: whois houseoftest.rocks



cewl Outputs all the words contained in the target website. You never know when such feature comes handy. You can output also into a file of course. Example: cewl https://www.houseoftest.ro…