Public Bug Bounty Rules of Engagement
I share my experience and lessons learned from operating a public bug bounty.
I share my experience and lessons learned from operating a public bug bounty.
Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article. There an emerging trend I’m noticing - I’ve been receiving more messages like the following: Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ?...
I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown....