[leftcenterright]

Beg bounty hunters have damaged the field so much.

But even in 2025, I have come across companies who do not at all care about rewarding good security researchers who report issues. Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you". Has anyone else also encountered this behavior from tech companies? (not talking about a non profit, hospital or gov agency here)

[xx_ns]

Yes.

I'm a security researcher - no quotes. I write detailed, highly technical write-ups for all of the issues I discover, including reproduction steps, root cause analysis and suggestions for fixes. I follow all responsible disclosure guidelines + any guidelines that the company or entity might have for security disclosures.

It's disheartening when you put this amount of effort into it, it gets silently patched, and you get no recognition or even a "thank you". But I don't let it bother me too much. I'm doing this research mostly for myself and because I find it interesting. The fact that I'm disclosing the issues is me being a good citizen, but I shouldn't expect a pat on the head for every issue I disclose.

Being ignored always sucks. But it's still infinitely better than doing all of the above and being threatened with a lawsuit (which has, unfortunately, happened as well).

[bashwizard]

Companies like that needs to be outed so that no one will ever go any testing whatsoever for them in the future.

[ozim]

Hard disagree - it is far more important that they fix their shit even if they are shitheads.

[dcminter]

Without feedback you don't know that the bug was fixed in reaction to your bug report. It might have been - but unless they explicitly invited bug reports in return for something then it's at worst bad manners not to acknowledge in that case. Debatably poor self-interest on their part as well.

As you note, the field has been damaged by bounty hunters. When the SNR drops low enough there's no point even reading the damn things and high-quality reports will be discarded along with the dross.

[leftcenterright]

> Without feedback you don't know that the bug was fixed in reaction to your bug report.

In this particular case, they did say they will consider a reward for a severe bug (it was severe, DNS hijack) and then once I shared details, the next day I checked, they had fixed it and never wrote back.

[cinntaile]

Next time you find a bug there you sell it to the highest bidder. Or maybe not you, but someone will do that. It's not really a winning strategy...

I did not know bug bounty had such a bad rep. Is this for reporting bugs outside of the bug bounty platforms?

[leftcenterright]

> Is this for reporting bugs outside of the bug bounty platforms?

Nah, in this case they simply had no official bug bounty program/platform.

I would guess that a big factor is mindset and tech culture across different companies or having a bad head of something who doesn't get the point of bug bounty / promoting responsible disclosure.

[ghusto]

Yup. I reported what I considered to be a serious security flaw to a _security company's_ product. They wrote back (since I was a paying customer), telling me that it wasn't a security issue. A few weeks later they had patched the totally-not-a-problem thing.

[entuno]

Yeah, it's pretty common. Some years back I reported a stored XSS vulnerability in an online marketplace with hundreds of thousands of users - a proper writeup with HTTP requests, proof of concept, impact, etc. No mention of bounties/rewards or anything like that - just a vulnerability report.

I made multiple attempts to report it to their security team/mailbox over a several months and never got any response or acknowledgement back from them. Then a few months later they quietly fixed the issue.

[klabb3]

> Beg bounty hunters have damaged the field so much.

Sure, the grifters themselves are guilty too. But hear me out: maybe the corporate geniuses who decided to crowdsource security using non-contractual if-we-feel-like-it bounty payments could have contributed to the grifting culture.

> Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you".

Just curious, why perform labor without a contract? If it’s just for personal interest, I wouldn’t even bother to report unless the company has something to offer first.