Comment by socketcluster
6 days ago
I found a vulnerability recently in a major online platform through HackerOne which could allow an attacker to cheaply DoS the service. I wrote up a detailed report (by hand) showing exactly how to reproduce and even explained exactly how a specially crafted request to a critical service took 10 seconds to get a response (just with a very simple, easy to reproduce example)... I then explained exactly how this vector could be scaled up to a DDoS...
They acknowledged it as a legitimate issue and marked my issue as 'useful info' but refused to pay me anything; they said that they would only pay if I physically demonstrate that it leads to a disruption of service; basically baiting me into doing something illegal! It was obvious from my description that this attack could easily be scaled up. I wasn't prepared to literally bring down the service to make my point. They didn't even offer the lowest tier of $200.
So bad. AI slop code is taking over the industry, vulnerabilities are popping up all over the place, so much so that companies are refusing to pay out bounties to humans. It's like neglect is being rewarded and diligence is being punished.
Then you read about how small the bug bounties are, even for established security researchers. It doesn't seem like a great industry. HackerOne seems like a honeypot to waste hackers' time. They reward a tiny number of hackers with big payouts to create PR to waste as many hackers' time as possible. Probably setting them up and collecting dirt on them behind the scenes. That's what it feels like at least.
This is sort of my issue with bug bounty programs: it can easily start to feel like extortion when a 'good samaritan' demands money. But they promised it to you by having a bug bounty program, then denied it. You feel rightfully cheated when the bug is legitimate, and doubly so when they acknowledge it. But demanding the money feels weird as well.
I try to go into these things with zero expectations. Having a mediating party involved from the start is a bit like OP immediately CC'ing the CERT: extra legal steps in the disclosure process. Mediating parties are usually a pain to work with, and if it's deemed "out of scope" then they typically refuse to even notify the vulnerable party (or acknowledge to you that it hasn't been disclosed). I don't want a pay day, I just want them to fix their damn bug, but there's no way to report it besides through this middle person. Literally every time I've had to use a reporting procedure (like HackerOne) has resulted in tone-deaf responses from the company or complete gatekeeping. All of those bugs exist to this day. Every time I can email a human directly, it gets fixed, and in some occasions they send a thank-you like some swag and chocolates, a t-shirt, something
Based on what I hear in the community, my HackerOne experiences have been outliers, but it might still be more effective (if you're not looking to collect bounty money) to talk to organizations directly where possible and avoid the ones that use HackerOne or another mediation party