[whatcouldimean]

Any bug bounty program suffers from tons of junk mail from people who copy paste definitions from owasp and misunderstand whats going on.

Bug bounty programs are as legitimate as the company wants them to be by providing the time of engineers to analyze the bugs and the funds to reward researches. I don't think they can be bogus exactly, they are what they are.

Now, the reason they exist is because bugs have a value outside the bounty program. So you, as a researcher, either have something you can profit from (in which case the choice to report to the bounty is your personal choice and there are others should you have to reanalyze) or you have a worthless curiosity and you can't really complain that no one is giving you money.

It sounds like you spent time entering a 'marketplace' that you don't have the capability to fully participate in, if you're all hung up on Facebook turning over a reward.

[chr13]

You missed a key point, "responsible disclosure". Not only to the company but to the public. I care less about whatever bounty they give or do not give. They could just deny the bug but this lingering is too much. I like Google's program where you have to wait x number of days and then you can disclose any bug. I guess all I wish from these programs is that they fix the bugs fast which is good for them. I did not spent time to enter anywhere. I was just curious 1 day and played around for an hour or two. I guess you are assuming too much about me and my capability and you cared so much as to create an account just to reply to this post...meh :/