Bounty Programs - a two way street - organizations and hackers must respect each other

This is my third post on the Bug Bounty phenomenon  - it gets more fascinating as one digs deeper and I am sure there will be still more to come. 

Organizations rule the roost in doling out rewards in cash or kind, and by adding the names of young hackers on Walls of Fame or making Honorable Mentions. These decisions are internal and there is no recourse for the Hunter to dispute the value of the payout. 

Unfortunately this is presumptuousness on the part of the organization(s) running the bounty program. They need to realize this is not a one way street and they had better realize it quick else they will start losing star Hunters to the alternate market. 
I use the phrase alternate market so as not to spoil the reputation of the Hunter hacker friends, many of whom are too young to understand the strategic planning behind these programs or about exploitation. I would not like any of these friends to be associated with the dark underground markets, getting paid in virtual hot money and then trying to hide it, breaking the law.
Well this is the scenario to consider - someone discovers a bug and classifies it to be critical. It is submitted to the relevant organization - they do not understand the bug and reject it. Or, they do not accept that it is critical and classify it to be low criticality and the payout is a few peanuts. 
Remember the infamous cases recently when Facebook refused to accept critical bugs twice. And then (sheepishly) they accepted the bugs when it was squashed in their face! Check these links:
FB refused to accept a bug that allows anyone to post on anyone's wall - he finally posted on MArk Zuckerberg's account to get noticed !

There was another FB bug which the FB team did not understand and they again demonstrated their pigheadedness. Check the search engines and you can find it. 
The organization demonstrated it's blind side - by acting in a high handed manner but, in the bargain, now they have a few disgruntled Hunters. The next time this guy is not going to submit a POC for a serious issue and the loser will be the organization! Why !? Well because the next time this Hunter will find the critical bug and will demand the value he/she has placed on the find. If not paid that amount, he/she will go and sell it in the 'alternate market'.

That's why one has to realize it is a two way street - the hacker is expected to do a 'Responsible Disclosure' and submit as per the terms and conditions put up by the organization and  this organization is expected to value the bug fairly and pay out asap.

The other risk is about the hacker going rogue and causing havoc when ill treated. 

Drive along carefully on the two way Bug Bounty Street - respect the hacker and his/her intelligence. Do not hide behind legal jargon and try to dupe anyone with low valuations.

Bug hunting is hard work and make sure you reward the hunters well else be prepared for some unethical people crossing your perimeter. 

So the next time you do not pay out appropriate bounty you may be doing yourself a disservice by arming underworld characters with knowledge about weaknesses that can be misused to damage your organization. 

Labels: , , , ,