undefined | Better HN

0 pointslelag2y ago0 comments

I run a bug bounty program and I don't mind report for small issues. It's true that most report from "beg bounty" hunters are noise, but we've acted on some reports a few time. One time, in particular, a researcher broke something which alerted us to a serious issue, while not understanding themselves what they had found, we still paid a fair bounty on the finding since we would not have found the issue without the action of the researcher.

It also helps that we have very clear rules and defined scope: we've put out of scope the usual suspects and researchers rarely argue when we point out they should have read the rules better before submitting.

Regarding bounties, my yardstick rule is that if a report made us reconsider our practices and change something on our side, then it's worth a bounty, even small. If not, then no bounty far ya, simple as that.

Also, I don't remember getting a disclosure report where they would ask for money before disclosing the vulnerability, I don't think it's that common. Still, this would go straight to the spam folder.

0 comments

2 comments · 1 top-level

speleding2y ago· 1 in thread

In my experience paying out once to a bug hunter resulted in an avalanche of useless "beg hunter" reports in the following weeks. Understandably security researchers brag about their finds on their resume but that has the side effect that other guys apparently crawl those and start targeting you.

I'm not saying this is good or bad, but just a warning that you should be prepared to read a lot more reports once you start paying.

SkyPuncher2y ago

The flip side is we've had some very serious, legit security researchers test our application as a result of our reputation for paying out bounties.

j / k navigate · click thread line to collapse