Ask HN: Security Vulnerability Rewards
Hi,
You are working on a product and the product is still in the beta stage, and someone out of the blue sends an email to you that your site has these security vulnerabilities(valid ones) and asks for rewards in return.
Has anyone faced this kind of situations? We are willing to give him the reward, but being in beta stage, we are still not sure as to what and how much we should reward him.
5 comments
[ 2.7 ms ] story [ 19.6 ms ] threadIf you offer them a reward or recognition, you are going to see many more vulnerabilities being reported to you. You are going to start seeing port scans on your machines and all sort of scraping looking for vulnerabilities. Some security vigilante is going to take down your service in the middle of the day with an overly aggressive script.
The best course of action is to fix the vulnerabilities, thank them for their contribution (in that order), and say nothing more. You don't have the time to manage a bug bounty program right now, and by giving them recognition or reward you are in effect starting an ad hoc bug bounty program.
This is an unnecessary distraction though at this point of time :)
If someone finds a vulnerability accidentally (I've done this before), they won't ask for a reward if they are professional and the company has no bug bounty. It's reasonable to tell a company out of respect - it's unreasonable to ask for payment, that implies almost a ransom and will encourage more of it.
There is a problem with bug bounties these days in that they attract a lot of people desperate to get into the InfoSec industry who don't necessarily know what they're doing and have no professionalism (see @CluelessSec for example.) Don't encourage it by giving a reward.
Cold calling (or emailing) companies to solicit penetration testing is okay, casing the company for vulnerabilities and asking for payment is not. I do suggest you find someone to do a solid penetration test of your company however just out of principle.
Thanks a lot for the answer.
Also, what debacle said.