Presumably any reward would need to be approved by an executive other than just the IT director since clearly they have no policy in place. The IT director would not want his department's incompetence to be known higher up the board.
As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.
It took 12 days for them to reply back saying that "They're working on a fix". The fix was not out at least until Late December/Early Jan. And they did not block fund transfers during the intermediate period either.
The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.
It would be common sense to pay a bounty. Similar to the reward you should get if you find somebody's wallet. If you are known for not paying a bounty (a finder reward) some people will not tell you your security holes (will not give you back your wallet).
On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.
The options aren't just returning it or stealing it, they can simply leave it where it is to avoid the hassle of having to return it. Hence why having a custom of paying a reward might be beneficial for wallet losers in general.
I'd like to feel like people would be ethically and morally motivated to make efforts to do the right thing rather than expect to be rewarded for doing the right thing. Perhaps it is how I was raised, but it seems weird to me that I would turn in a lost wallet with expectation to get something back out of it. This so-called "custom" is not my custom. It actually seems very childish, where one is still in the phase of learning the importance of taking care of their neighbor.
Sure, but if I had heard several news reports of people finding and returning wallets being falsely accused of theft and subjected to serious legal threats, at that point if I saw someone's wallet lying around, I would just ignore it and keep going.
The bug bounty isn't only about the money. It's also the company's way of advertising 'we aren't crazy assholes like those outfits you heard about on the news'.
(Yes, fixing the law would be a good idea. But in the meantime, a bug bounty is the solution.)
Hassle free return, drop it in a mailbox. Leaving it is an option, but the custom of returning things to their owner exists because one good deed begets another.
I lost my wallet once and someone turned it into a nearby business, but with all the cash taken out.
Not sure if the finder or the business took the cash but I guess they got their own reward. Not what I would do, but I'm glad they didn't take the cash and trash the wallet..
You should always give one. Claiming it's an "insult" to thank someone for going out of their way to do something they didn't have to do (v. doing nothing or throwing the wallet out) sounds like an easy excuse to be cheap.
You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.
However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?
Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.
He is in Sweden. So definitely safer than being in India :-) Adding to that, I don't think bad guys from the computer world would go to great lengths to harm someone from physical world.
Being in Switzerland definitely helps, but still, India being a very big country it wouldn't surprise me if they had some really-bad-guys(TM) mafias capable of hurting people in other countries.
Of course, a small thing like this wouldn't necessarily pop up in their radars but still...
I guess part of the reason I think this way is because I live in a country where this is a real threat. Where posting things that real-bad-guys(TM) don't like can literally get you tortured and killed.
Having done similar pentests on similar applications during my previous jobs, you can imagine the level of security many editors have on the pair (client app, server). And we are talking here about a banking application: banks have always been more concerned buy security than other software consumers.
I would not do it (if I were the guy), India is litigious mess and a motivated financial strongman/entity can screw you for Years without a verdict and if they allege there is a hacking attack, the Judiciary is in no position to handle that kind of sophistication and have a more or less fire first and ask questions later way of doing things.
Prediction: in the coming months we will hear about more issues of this kind. This time though it will be mafia inspired by the story, stealing money for real.
Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.