undefined | Better HN

0 pointstptacek9y ago0 comments

"Offer bug bounties based on actual access" why?

0 comments

3 comments · 1 top-level

3pt141599y ago· 2 in thread

Maybe misworded, but actual access is a clear line on the spectrum that starts at reporting a potential DDOS attack on an endpoint to dumping all your users credit cards and passwords. Access to a server isn't necessarily access to a DB, but it's usually serious enough to warrant cash, no matter who you are.

tptacekOP9y ago

I'm asking: why would you make a bounty conditional on "access" at all? What's the win? A bug is a bug. If it has the potential for access, it's worth the bounty. All a demonstrated access requirement does is encourage strangers to violate the privacy of your customers. It seems like an incredibly reckless idea.

3pt141599y ago

Bad actors are already trying to get that data, no?

1 more reply

j / k navigate · click thread line to collapse