News

Bug bounty programs don’t always pay up: researchers

Bug bounty platforms have filled a genuine need by connecting security researchers and pen-testers with products vendors in a manner that promotes security awareness, collaboration, and provides monetary incentives for vulnerability reporters.

But they are not without their issues. 

This week I reported on BleepingComputer how a bug bounty reporter had plagiarised an exploit originally posted by researcher Guido Vranken, and walked away with a cash award via Monero’s HackerOne bug bounty program.

It wasn’t until later that the original reporter had noticed the incident, which is when Monero confirmed that the bug report had indeed been stolen.

But, even in clear cut cases where plagiarism isn’t an issue, bug bounty platforms have recently earned a reputation for not always paying up even when legitimate security vulnerabilities are reported by the researchers.

Actually, it is rather the product vendors running these bounty programs on platforms that bear the responsibility of paying bounty awards.

But, because the entire reporting workflow and communications are handled via platforms like HackerOne and Bugcrowd, it is not hard to see why many researchers may place blame where it may not belong.

Guido Vranken, whose exploit had been stolen mentioned to me in passing:

“HackerOne (or rather its programs) have gotten a reputation for not paying out rewards (for valid submissions), which is a distinct issue [than plagiarism] but it might interest you to research and report on that.”

We don’t pay for this, but we’ll fix this

Complaints from multiple security researchers finding that bug bounty programs often fall short of their promises when it comes to paying out bounties have surfaced in recent times.

A security researcher from a Fortune 500 company who prefers to remain anonymous told Security Report News:

“I did come across some other researchers posts claiming the same issue where their older report was ignored and thereafter exact same issue(s) were accepted months/years later when reported by others.”

“Another thing I have noticed is that HackerOne staff and vendor representatives try to downplay valid reports and fix the vulnerabilities silently but deny bounties. This has happened to me a few times and I am pretty sure it has happened to others as well,” they continued.

“Only when disclosure is requested, do they accept the report or issue a rightful-bounty. It’s a sad but true reality,” concluded the researcher.

Stories of other researchers that share this frustration of bug bounty programs applying their policies inconsistently have also been posted on Twitter in the past:

Researcher claims their vulnerability report was triaged but later closed as “N/A”
Source: Twitter

Another researcher who goes by the name Yumi had posted in 2018, how their previously filed HackerOne report was dismissed as “informative.”

Shortly, however, the company had silently patched the reported vulnerability.

Another researcher states their previously dismissed vulnerability report was silently worked on
Source: Twitter

Cases of companies trying to downplay the severity of reported vulnerabilities, or negotiating down the reward payouts are hardly surprising.

A recent example is, Slack paying a nominal $1,750 reward to a researcher who had spent significant effort on reporting a vulnerability. 

When asked about the inconsistent payment scenarios with regards to bounties, a HackerOne spokesperson provided Security Report News with some insights:

“While I can’t speak to these vulnerabilities specifically, there are many reasons a report would be closed as informative or not applicable. At its core, ‘informative’ means a report contains useful information but doesn’t warrant an immediate action or a fix.”

“A program can consider providing an alternative risk assessment or other mitigating factors, and public disclosure is available with mutual agreement.”

“‘Not applicable’ means the report doesn’t contain a valid issue and/or has no security implications. The customer has the final say on each vulnerability, but we advise customers to follow an industry-standard CVSS rating and create explicit direction for hackers on their program page to reflect their focus.”

“You can read more about [what the] report states here. If there is ever a disagreement both hackers and customers can request mediation from HackerOne,” the spokesperson told Security Report News.

The detail shared by HackerOne is helpful indeed in clarifying what constitutes terms like Informative and Not Applicable in this context.

However, unless policies on validating the authenticity of vulnerability reports and on bug bounty payouts are reviewed and made more consistent, researchers are likely to explore other avenues for making their discoveries public, if not ignore responsible disclosure guidelines altogether.

It is worth noting that critical exploits could sell on the darknet for far worth more than what a nominal bounty payout may entail. Earlier this year, a Zoom zero-day exploit was being sold for $500,000.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.