Bug Bounty Programs
The cluster discusses bug bounty programs, including their effectiveness in encouraging responsible vulnerability disclosure, fairness of payouts, company obligations, and comparisons to alternatives like black market sales.
Activity Over Time
Top Contributors
Keywords
Sample Comments
"Offer bug bounties based on actual access" why?
That's one of the points of bug bounty programmes, isn't it?
They should be giving bug bounties instead!
What if I introduce security bugs only to be paid bounty on them later
There's already an implicit bug bounty. Whoever found this bug got a bounty of millions. Much better than the presence that tech companies pay.
The bug bounty won't cause others to report bugs if they pay in secret.
Why would companies pay a bug bounty and then expect nothing in return?
NEO award large amounts for bug bounty, I find it hard to believe you would go to the trouble of finding bugs without claiming any reward?
Thanks for your report, we’ve updated the settings. We don’t have an official bounty program but we do sometimes offer them if the issue is severe enough. On this occasion it is not”And that seems to work fine. For ones a little more involved we’ve paid out $50 a few times which they seem happy with and we’re generally ok to pay.This seems like an extremely reasonable approach.
You're not entitled to a bounty just because you found a bug. Some companies offer these bounties and it's good that they do, but that doesn't mean every company is obliged to offer them, or that a company that offers bounties for some bugs is obliged to offer them for all bugs.