[thaumasiotes]

To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).

On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.

† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.

[arjvik]

ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?

[thaumasiotes]

I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).

Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.

Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?

Was it publicly discoverable?

Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.

Was it publicly exploitable?

Yes; the researcher didn't set up any authentication or anything.

[lstodd]

I.. just can't wrap my head around that.

Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.

The shell disappears on step one.

Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?

What is this lunacy?

[rcxdude]

It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.

[lstodd]

It didn't become any more vulnerable.

This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.

If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

[Dylan16807]

> It didn't become any more vulnerable.

That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.

> If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

Well most people wouldn't, and for good reason.

[BenjiWiebe]

If the URL was unpublished, isn't that the same-ish as password protected?

All about bits of entropy i.e. difficulty if guessing.

[bflesch]

It happened many times to me, especially on H1 but also from senior FAANG engineers on their mailing lists. If your job is to pretend all is fine it is easy to discard valid reports.