I.T. Security and Linux Administration

Apr 30 2014   8:47PM GMT

Bug Bounty Program Critique

Eric Hansen Eric Hansen Profile: Eric Hansen

Bug bounty programs have really become a popular tourist attraction for IT security pros.  The premise is that a company will pay $x for finding an exploit, based on various criteria like severity, impact, etc…

However, it seems more often than not, people are reporting exploits that should be paid for, and getting refused for whatever reason the bounty head wants to claim.  It feels more like hiring a pen-tester to test the network, getting a report and never paying them for the services.

I’m not saying to pay for every XSS exploit found (these days XSS doesn’t even seem to be a threat), but how is this not worthy of at least something?

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: