undefined | Better HN

0 pointsAyesh2y ago0 comments

Quoted from the post:

> It was _immediately_ clear that Hammad was going to beg for a bounty, but it was a quiet Saturday night here and I thought it would be entertaining to see just how far down the rabbit hole he wanted to go. So, I responded, positively:

I suppose most of these useless bounty reports are quite easy to tell.

From the comment above:

> 20 mails each day

If you receive 20 mails a day to your security email address, then, perhaps it's time to setup a proper bug bounty program? They will weed out low impact vulnerabilities and only elevate the reports above a certain threshold. Isn't this a solved problem already?

0 comments

2 comments · 1 top-level

blincoln2y ago· 1 in thread

From what I've seen secondhand, a bug bounty programme can actually increase the overhead vs. an email address, because now someone has to log in and deal with each ticket instead of ignoring emails that don't seem interesting.

There are some significant advantages to having a bug bounty programme, but they still attract a lot of noise. I know of at least one software company that has an entire team just to triage the queue. Not fix anything, just validate whether a report ia reproducible or not and if so, route it to the responsible party.

AyeshOP2y ago

I participate in a couple programs, and when I report something, they have a team at the bug reporting service take a look first before escalating them to the actual security contact. Only issues that are in-scoope and severe enough get escalated. The company can even mark certain programs as invitee-only or for researchers above a certain threshold.

Many programs already have rules saying they will not consider DNS/header related issues.

j / k navigate · click thread line to collapse