IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [bug-bounty]

Related to design, workings and operation of bug bounty programs. DO NOT use for questions about specific vulnerabilities, attack methods or anything unrelated to the mechanics of vulnerability reward programs.

A bug bounty program (BBP) or vulnerability reward program (VRP) is an offer made by a company to reward individuals for reporting vulnerabilities in their websites or software products.

56 questions
8
votes
1 answer

Bug bounties - Shoud I report 0days in third-party components?

Assuming that: Vulnerabilities in third party components are not explicitly excluded in the scope of the program. The issue is reproducible in the specific target. Should I report the issue to the third party developer only, or to the program too?…
Not Now
  • 199
  • 12
5
votes
2 answers

What does Zerodium do with their bought exploits and bugs?

I came across the cybersecurity company Zerodium. They offer bigger bounties than most of the companies calling for bug hunters: Because of the bigger bug bounties, bug hunters sell their found exploits/bugs to Zerodium rather than to the company…
Nightscape
  • 329
  • 4
  • 12
2
votes
1 answer

What to do if bug bounty program is unresponsive?

Over a year ago, I have reported a few security vulnerabilities to one of the top bug bounty programs on HackerOne. All of them have been quickly triaged as critical, but no progress was made towards their resolution. I have repeatedly pinged them…
user252156
0
votes
1 answer

Facebook rejects a valid DoS'able vulnerability in WhatsApp - what should I do?

I found a vulnerability in WhatsApp which allows the attacker to temporarily lock you out of your account (which results among other things in a loss of productivity e.g. stemming from a loss of the chat history). I've reported it via Facebook's bug…
Artem S. Tashkinov
  • 3,312
  • 7
  • 19
0
votes
0 answers

Bug bounties - Reported a bug to a company nothing as been done

I've discovered a bug in an order page from big American company in April 2017. I've reported the bug to said company and they haven't done a thing, I email them from time to time but the bug is still there and they haven't done nothing related to…
R. Jay
  • 1
  • 1