IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [bug-bounty]

Related to design, workings and operation of bug bounty programs. DO NOT use for questions about specific vulnerabilities, attack methods or anything unrelated to the mechanics of vulnerability reward programs.

A bug bounty program (BBP) or vulnerability reward program (VRP) is an offer made by a company to reward individuals for reporting vulnerabilities in their websites or software products.

48 questions
83
votes
5 answers

How to proceed with a white-hat hacker claiming a vulnerability?

I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member. They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS…
Vcode
  • 866
  • 1
  • 5
  • 9
52
votes
3 answers

Could bug bounty hunting accidentally cause real damage?

If an application's code contains even minor and subtle inaccuracies, it can open up the entire database to SQL injection. In this example (see section 'Delete All Method'), the entire Users table gets deleted with a trivial SQL injection ("1) OR…
stevec
  • 1,214
  • 1
  • 7
  • 16
37
votes
4 answers

Why is social engineering often excluded from bug bounties?

I noticed a lot of companies do not have social engineering as in-scope of bug bounties/responsible disclosure guidelines, even though it is often used in real-world attacks. I understand that for popular bug bounty programs the amount of social…
Z3r0byte
  • 473
  • 4
  • 6
17
votes
3 answers

Which companies facilitate payment in return for vulnerability disclosure?

If requesting payment from an affected party directly for the disclosure of vulnerabilities is considered extortion, how can independent security researchers earn a living or side income from researching security vulnerabilities?
Nick
  • 423
  • 3
  • 10
13
votes
2 answers

How to deal with responsible disclosure "catch and kill"

My coworkers and I discovered a significant security issue in a popular cybersecurity tool, which shall go unnamed here for reasons that will become obvious. We reported the issue to the tool's vendor through their bug bounty program on bugcrowd.…
Jonathan Kamens
  • 231
  • 1
  • 3
9
votes
3 answers

How to work effectively to win bug-bounties?

I really want to prove myself (to my parents) by winning a proper bug bounty How should I best prepare for this and go about actually finding bugs? Edit So can anyone give some web sites which I could read that would help me understand better how…
emberfang
  • 199
  • 8
8
votes
1 answer

Bug bounties - Shoud I report 0days in third-party components?

Assuming that: Vulnerabilities in third party components are not explicitly excluded in the scope of the program. The issue is reproducible in the specific target. Should I report the issue to the third party developer only, or to the program too?…
Not Now
  • 199
  • 11
6
votes
1 answer

What are some options for a small company on a budget to maintain a bug bounty program?

I work for a B2B SaaS startup that doesn't have a lot of money (we're 6 people, 2 developers, have about 6 months of runway, and $25K monthly revenue, < 50 customers). Common advice that I've seen for small companies/startups is to "do enough" for…
Startup Security
  • 69
  • 3
6
votes
2 answers

Why do several bug bounties ignore user enumeration?

While viewing bug bounties, I noticed that most of the bug bounties list the user enumeration in the excluding list. For instance brute forcing user accounts, forget password forms would generally fall into this category. This got me thinking about…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
5
votes
1 answer

Is it bad practice to remove a resolved report from Open Bug Bounty archive?

An XSS vulnerability report was made via Open Bug Bounty, which was fixed, confirmed and a reward was made. The reporter has marked the issue was resolved. They have further offered to remove the vulnerability from the Open Bug Bounty archive. Being…
Joe
  • 1,284
  • 1
  • 9
  • 10
5
votes
2 answers

What does Zerodium do with their bought exploits and bugs?

I came across the cybersecurity company Zerodium. They offer bigger bounties than most of the companies calling for bug hunters: Because of the bigger bug bounties, bug hunters sell their found exploits/bugs to Zerodium rather than to the company…
Nightscape
  • 329
  • 4
  • 12
5
votes
1 answer

What is this user trying to do?

I work with a company that creates marketing software, we recently created a forum so we could talk with users who need support. I'm the main admin on this forum and a user, let's call them person1 has been trying to run PHP code in the comments. I…
knocked loose
  • 265
  • 1
  • 8
4
votes
1 answer

Function of %5c.. in a path traversal

I've recently come across this blog post of a bug bounty hunter. Apparently, a path traversal vulnerability was discovered, which looked like this: …
Breakfast Serial
  • 85
  • 1
  • 1
  • 6
3
votes
1 answer

How to fairly pay out bug bounties without going over budget?

I work for a small company and for our webapp, we want to offer bug bounties for vulnerabilities reported with monetary rewards based on criticality. Problem is we only have a limited overall budget and dont want to promise anything we cannot pay.…
Chimarr
  • 53
  • 3
3
votes
0 answers

Bug in pay by phone screen accepts credit card information

I recently noticed some strange behavior in a pay-as you go mobile hotspot service when I was adding money to my account via phone. I forgot my pin so I guessed. I was wrong. I guessed again, and it let me through and accepted my payment…
Wiley Quixotey
  • 31
  • 3
1
2 3 4