Lots of bug bounties are really just hush money, that you have to sign an NDA to get.
Always just publish your research. You can optionally offer it privately to the affected party in advance, but don't agree to any TOSes to do free work.
Yep, you should really give up significant income from companies that do responsible vulnerability disclosure in the name of a random HN's commenter's values.
I assume lots of bug hunters (especially those from third world countries or those currently unemployed) depend on the bounty money to support their livelihoods.
That’s a bit like hitting the slots to support your family. Not only do you have slim chances to find anything that pays out a worthwhile sum, even if you do find such a bug they might come back with a “sorry, already reported”. If they get back to you, that is.
This is why I think a third party bug bounty middleman service is inevitable. They will be better equipped to exact appropriate remuneration and develop relationships.
Companies should be trying really hard to avoid this happening by offering better rewards with less hoops to jump through.
Agree. It is a business opportunity. It will have to be a US based company as only those will have enough funding to both fight the legal fights and lobby for legal protection.
For the first few years the company will be considered a level just above common criminals. After a few while, they will be considered an essential consumer protection service.
Any corporate is going to make you sign something to receive the cash. The terms would not normally be as strong as an NDA though, otherwise we wouldn't see any bounty reports.
Always just publish your research. You can optionally offer it privately to the affected party in advance, but don't agree to any TOSes to do free work.
Full disclosure is responsible, too.