logoalt Hacker News

duozerktoday at 5:10 PM4 repliesview on HN

> That's pretty bad! I wonder what kind of bounty went to the researcher.

I'd be surprised if it's above 20K$.

Bug bounties rewards are usually criminally low; doubly so when you consider the efforts usually involved in not only finding serious vulns, but demonstrating a reliable way to exploit them.

Replies

clucastoday at 9:55 PM

Here is a comment that really helped me understand bug bounty payouts: https://news.ycombinator.com/item?id=43025038

naeioitoday at 5:32 PM

The bounty could be very high. Last year one bug’s reporter was rewarded $250k. https://news.ycombinator.com/item?id=44861106

show 1 reply
salviatitoday at 5:22 PM

I think a big part of "criminally low" is that you'll make much more money selling it on the black market than getting the bounty.

show 2 replies
weppletoday at 6:10 PM

> but demonstrating a reliable way to exploit them

Is this a requirement for most bug bounty programs? Particularly the “reliable” bit?