undefined | Better HN

0 pointsbugbountyhunter8y ago0 comments

> there are any number of legit bug bounty programs

The thing about bug bounty programs are that they are not a negotiation. They decide how much your information is worth--take it or leave it.

If you thought this bug was worth $25,000 and you feared that Apple might offer a $100 discount coupon plus a lovely "I Love My Mac" coffee mug, is there any way to start a negotiation without being accused of extortion (if you imply that you might disclose it publicly)?

This is a serious question: Is there any way to negotiate for security bugs, before or after disclosing all the details, without running a legal risk?

0 comments

azernik8y ago

Not really; the issue is that you don't have a way to disclose how much the bug is worth without giving away the bug itself. You can kind of ask how much an exploit that gets a local user root access is worth, but that can give away enough to let them focus their own search.

In general, you have to rely on this being a repeated game - you and the pentester community at large submit lots of bugs to this company, and you rely on them to make it worth your time and talent. If they don't, you go test someone else's software. Reputation is everything.

j / k navigate · click thread line to collapse

0 comments

azernik8y ago

j / k navigate · click thread line to collapse