I use the phrase alternate market so as not to spoil the reputation of the Hunter hacker friends, many of whom are too young to understand the strategic planning behind these programs or about exploitation. I would not like any of these friends to be associated with the dark underground markets, getting paid in virtual hot money and then trying to hide it, breaking the law.Well this is the scenario to consider - someone discovers a bug and classifies it to be critical. It is submitted to the relevant organization - they do not understand the bug and reject it. Or, they do not accept that it is critical and classify it to be low criticality and the payout is a few peanuts.
Remember the infamous cases recently when Facebook refused to accept critical bugs twice. And then (sheepishly) they accepted the bugs when it was squashed in their face! Check these links:The organization demonstrated it's blind side - by acting in a high handed manner but, in the bargain, now they have a few disgruntled Hunters. The next time this guy is not going to submit a POC for a serious issue and the loser will be the organization! Why !? Well because the next time this Hunter will find the critical bug and will demand the value he/she has placed on the find. If not paid that amount, he/she will go and sell it in the 'alternate market'.
FB refused to accept a bug that allows anyone to post on anyone's wall - he finally posted on MArk Zuckerberg's account to get noticed ! http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/
There was another FB bug which the FB team did not understand and they again demonstrated their pigheadedness. Check the search engines and you can find it.
Labels: bounty hunter code of ethics, bounty payments, bounty program, bug bounty, responsible disclosure