Hacker News new | ask | show | jobs
by sneak 1830 days ago
Lots of bug bounties are really just hush money, that you have to sign an NDA to get.

Always just publish your research. You can optionally offer it privately to the affected party in advance, but don't agree to any TOSes to do free work.

Full disclosure is responsible, too.
3 comments
underdeserver 1829 days ago
Yep, you should really give up significant income from companies that do responsible vulnerability disclosure in the name of a random HN's commenter's values.
link
sneak 1829 days ago
At no point did I say you should give up income.
link
underdeserver 1829 days ago
"Always just publish your research."

In most bug bounty programs I've seen (including Apple's and Facebook's) payouts are contingent on not publishing the research without consent.

link
Leparamour 1830 days ago
I assume lots of bug hunters (especially those from third world countries or those currently unemployed) depend on the bounty money to support their livelihoods.
link
sombremesa 1829 days ago
That’s a bit like hitting the slots to support your family. Not only do you have slim chances to find anything that pays out a worthwhile sum, even if you do find such a bug they might come back with a “sorry, already reported”. If they get back to you, that is.

It’s not something to rely on at all.

link
rapind 1829 days ago
This is why I think a third party bug bounty middleman service is inevitable. They will be better equipped to exact appropriate remuneration and develop relationships.

Companies should be trying really hard to avoid this happening by offering better rewards with less hoops to jump through.

link
belter 1829 days ago
Agree. It is a business opportunity. It will have to be a US based company as only those will have enough funding to both fight the legal fights and lobby for legal protection.

For the first few years the company will be considered a level just above common criminals. After a few while, they will be considered an essential consumer protection service.

link
throwaway4400 1829 days ago
Any corporate is going to make you sign something to receive the cash. The terms would not normally be as strong as an NDA though, otherwise we wouldn't see any bounty reports.
link