bug hunter platform corrupt?

No bounty No security

cyber security is the part of company just like develop new system.
More and More compnay realize that cyber security is important,especially the EU GDPR is publised, some cases are fined huge ticket.

so the company start bug bounty program(build their own platform or attend the bug hunter platform).
their digital assest is huge,most of the Fortune 500 even can’t make a list of all owned assest(this is I guess,no data support). the weired thing is: some security researchers submit the vulnerability reports to them for free. How to make use of that? start a VDP program,No money just acknowledge.

yes, the VDP program is the bridge of the company and security researchers, the company open a path to accepct the vulnerability report. But this is just a transitional way.

No doubt that if you are new to bug hunter, you can start the VDP program,because it’s more easily to find the flaw. I’m not suggest keep submit vulnerability report for free. this will posion the bug hunter enviroment.

No money no security,vulnerability report also need something to prove value.

Reality

I saw some security researchers submit the vulnerability report to bug bounty program(BBP),but the program refuse pay for them,some common reasons below:

  1. we know it internal
  2. no attack scenario
  3. out of policy

if you have trobule with the bug bounty program, the platform Mediation isn’t help, the best way is make the report public.

then you leave the program, write a post sick on them, stay away from the BBP which make you feel sick, which will harm you feeling.

Suggestion

assest in scope or not

when you dig a BBP, you’re better check the program policy, the assest in scope or some assest out of scope.
Not all company pay for the all the assest, you must know that.

prove it not exploit it

some action is also out of scope, For example, you find a RCE, upload the webshell is not a good action. you just need to prove it, not exploit the system.

in patience

when you submit the report and traiged, it’s unnecessary to keep asking the the when pay for the bounty, some programs are paid slowly. what you can do is keep submmit next report.

be gentleman

when you come cross the situation(don’t want to pay for the bounty,or pay less bounty what you expect), it’s unnecessary to fuck them up or keep squabble with them, don’t waste you time on that. you just need request Mediation, in the end this is not help, you can leave the program or turn to other program.

END

I hope the suggestions can help you earn more $$$$ at your bug bounty journy. Bug bounty just a quite small part of Enterprise cyber security construction. if you really want to push youself to cyber security, keep learning!