[columbo]

I can see why they would want to set up rules instead of allowing anything to happen.

For example, if I was to set up a bounty I really wouldn't want people at random contacting current or former clients trying to phish for passwords; I completely understand this is a threat, but I would want to personally manage something like that.

With that said, if something like this was found I'd pay the person. There's a point where you just recognize "Oh shit, that's a big hole, pay the man.".

[jarrett]

Your point is good. I'd solve the problem like this: Instead of whitelisting certain kinds of attacks and parts of the company for bounty eligibility, I'd create a very limited blacklist. This blacklist would consist of actions which, despite being good-faith security research, would cause unacceptable damage to the company. For example, blacklisted actions might include:

- Deleting the company's data.

- Stealing from customers.

- DDoSing the site.

If you find a bug by taking any of the blacklisted actions, you get no bounty.

This approach protects the company without unduly limiting the thoroughness of the review.

[jbverschoor]

Well, this social engineering is what got kevin mitnick in jail