5/16/2022, 11:46:29 AM
Where I work, we run a bug bounty. We've done this for a number of years, and it's yielded great results in that bugs that could potentially affect user data are quickly and quietly dealt with at our own pace, and we retain control over the narrative (as opposed to having it disclosed publicly and dealing with the fallout.)
By far, however, the most annoying part of running the bug bounty program are the wannabe security researchers.
You know the kind;
It gets worse... occasionally, when you reject an invalid report outright, they have the gall to ask you for money anyway:
Thank you for your response. i hope this type of hard effort deserves something best regards.,
Thank you for your response. but you can give me 5$ this is my paypale email
But sir bug is working so you can giving me a small appreciation sir
I've even had reporters reply back to a confirmed bug (with limited security implications), and ask for more money. In what kind of world is that acceptable?!
One time, I had a report come in for a vulnerability that was discovered by someone else. This reporter had read the write up, and proceeded to go around and try to shake down companies for money, even though he didn't do any of the actual research. That's what really gets my goat, is that almost all of these reports aren't even from the original discoverers. It's like a whole cottage industry sprang up just to go around and extract as much money as possible from businesses for having misconfigured "Powered By" headers on their servers.
I make the rules of my bug bounty easily accessible and simple to follow. There is a specific testing endpoint to report bugs against, and I can even make exceptions if you don't read any of the other rules except that main rule.
None of it makes a lick of difference.
I don't want to be overly punitive in case I disincentivise the reporting of a legitimate security concern, but boy, does this get tiring.
The really confusing part is that in some cases, these "security researchers" think they are doing serious work. They will get offended if their report is rejected, and play up the severity of any potential implications.
In the end I think I will have to be exceedingly strict—a single warning followed by a ban.
Just for fun, I took a look our reports since January 2022, and manually collated the resolutions. Out of 43 reports:
P.S. Honestly, this has been the only annoyance with running my own bounty. Is it worth saving upwards of $10,000 USD/annum compared to going with a "Bug Bounty as a Service"? Good god yes..