|
|
|
|
|
|
by debacle
4200 days ago
|
|
|
A startup I worked for encountered this "unsolicited penetration testing." If you offer them a reward or recognition, you are going to see many more vulnerabilities being reported to you. You are going to start seeing port scans on your machines and all sort of scraping looking for vulnerabilities. Some security vigilante is going to take down your service in the middle of the day with an overly aggressive script. The best course of action is to fix the vulnerabilities, thank them for their contribution (in that order), and say nothing more. You don't have the time to manage a bug bounty program right now, and by giving them recognition or reward you are in effect starting an ad hoc bug bounty program. |
|
|
This is an unnecessary distraction though at this point of time :)