How do you handle bug bounty requests?
Yvik Ye
9 replies
Recently, we've received several emails from individuals claiming to have found vulnerabilities on our website and requesting a reward, typically in the form of a cash bounty. Some of these vulnerabilities are ones we were already aware of, while others are new to us.
Have you encountered similar situations?
Here are a few questions we're grappling with:
1. What is a reasonable reward for such findings? We're curious about the range of bounties others are offering. How do you determine the amount?
2. How do you manage communication with these individuals? What's the best way to handle their requests professionally and maintain a positive relationship?
Any advice, best practices, or insights would be greatly appreciated!
Replies
Zoya Shah@zoya_shah1
Handling bug bounty requests involves a structured process: acknowledge the report promptly, validate the issue, prioritize based on severity, and communicate transparently with the reporter. Offer rewards as per your program's guidelines and ensure timely fixes. Promote your brand with tote bags, ideal for giveaways and events. These eco-friendly bags provide great utility while keeping your brand visible. Choose tote bags for an impactful, sustainable marketing solution.
Share
When I get bug bounty requests, I assess the impact of the vulnerability to decide on the reward. I’ve found that offering a range based on the issue's severity works best.
Rewards can be all over the place, but here are some things to think about: How bad is the bug? Serious issues (like ones that let someone take over your system) should get a bigger reward than minor ones (like info leaks). Also it depends on the impact on your business. Lastly it will vary depending on where you are located. Bounties can vary a lot depending on where you are based.
Here are some ballpark figures:
Low severity: $50 - $200
Medium severity: $200 - $1,000
High severity: $1,000 - $10,000
Critical severity: $10,000+
Comms-wise I think its the standard be polite but firm. I think it doesn't hurt to be friendly but also say no if the price is too high. always useful to build a contact for assistance in the longer term if you find someone you can trust.
Reward should reflect the bug’s potential damage. Regular updates and respectful responses are crucial.
Offer varying rewards based on bug complexity. Keep communication clear and professional, appreciating their findings.