One benefit of Microsoft requiring them for Windows 11 support is that nearly every recent computer has a TPM, either hardware or emulated by the CPU firmware.

It guarantees that the private key can never be exfiltrated or copied. But it doesn't stop malicious software on your machine from doing bad things from your machine.

So I'm not certain how much protection it really offers on this scenario.

Linux example: https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH

macOS example (I haven't tested personally): https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb...

How about UEFI vs arm-specific bootloaders?

I tried arm32 Linux a few years back, and the largest hindrance at the time was the device trees and non-UEFI boot process. Given up on exploring the platform further (except maybe for SBC like raspberry pi) until that situation improves.

If you were using systemd-resolved however, it retries all servers in the order they were specified, so it's important to interleave upstreams.

Using the servers in the above example, and assuming IPv4 + IPv6:

    1.1.1.1
    2001:4860:4860::8888
    9.9.9.9
    2606:4700:4700::1111
    8.8.8.8
    2620:fe::fe
    1.0.0.1
    2001:4860:4860::8844
    149.112.112.112
    2606:4700:4700::1001
    8.8.4.4
    2620:fe::9

Also note that Quad9 is default filtering on this IP while the other two or not, so you could get intermittent differences in resolution behavior. If this is a problem, don't mix filtered and unfiltered resolvers. You definitely shouldn't mix DNSSEC validatng and not DNSSEC validating resolvers if you care about that (all of the above are DNSSEC validating).

I've recently cut bounties to zero for all but the most severe issues, hoping to refocus the program on rewarding interesting findings instead of the low value reports.

So far it's done nothing to improve the situation, because nobody appears to read the rewards information before emailing. I think reading scope/rewards takes too much time per company for these low value reports.

I think that speaks volumes about how much time goes into the actual discoveries.

Open to suggestions to improve the signal to noise ratio from anyone whose made notable improvements to a bug bounty program.

An interesting tool for analyzing your personal kernel config file and pointing out areas for security improvement. It's more comprehensive than KSPP (https://kspp.github.io/) but sometimes goes a little too far, suggesting disabling kernel features you may actively use.

Definitely worth trying!

Anyone can get the performance crown by having an unlimited energy budget. Performance per watt is much more valuable in data centers (TCO) and consumer devices (battery life).

I've personally been using a NoFan CR-80EH in my workstations for over 10 years. I think it's subjectively the most beautiful heatsink I've ever seen.

You do need to plan your build to accomodate such a cooler though. - Open Air case to allow free movement of air in and out of your case - 65W TDP CPU

While a lot of people feel like 65 watt TDP is limiting, there are some impressive chips you can use under that threshold that don't feel like a compromise. Eg the Ryzen 9 7900 (not-X).

And if the rest of your office is quiet, eliminating ambient background noise is a delightful improvement.