Much of the existing application security & secure development curriculum show security issues in a vacuum, or in the simplest example setting. On the other hand, public bug bounty reports inherently show bugs in real world context. Sometimes that context is unbelievably trivial, other times it is intricate and pointedly specific to the vulnerable site. Both of these extremes provide important nuances that help developers and testers understand how to identify and remediate security issues. This walking tour of common vulnerabilities, as well as more pragmatic “dirty” hacks, bridges the theory/practice divide with illustrative examples drawn from real-world bug bounty programs to help you see your code as attackers do. Finally, you’ll see some examples of how others remediate (often badly) when faced with serious, public facing vulnerabilities and get a better appreciation for how defense-in-depth buys you time to do things right.