logoalt Hacker News

KolmogorovComptoday at 2:43 PM2 repliesview on HN

Unfortunately this isn't all black-and-white. There are some bug bounty where the company is very eager not to pay any bounty, aggressively marking vulnerabilities as out-of-scope or working-as-intended.

In those case you already lose time, but in the future you would also lose money.

Unfortunately you don't know how a company will react before submitting, especially if it's a small one.

Replies

malfisttoday at 3:00 PM

It already doesn't stand on face value. These people are spending money to open PRs via their token costs

show 1 reply
Kwpolskatoday at 3:42 PM

I think it would be fair to distinguish "reasonable report, but not actually a vulnerability" (where you get the submission fee back) and "slop" (where you don’t).