How do you handle bug bounty requests?

Yvik Ye
8 replies
Recently, we've received several emails from individuals claiming to have found vulnerabilities on our website and requesting a reward, typically in the form of a cash bounty. Some of these vulnerabilities are ones we were already aware of, while others are new to us. Have you encountered similar situations? Here are a few questions we're grappling with: 1. What is a reasonable reward for such findings? We're curious about the range of bounties others are offering. How do you determine the amount? 2. How do you manage communication with these individuals? What's the best way to handle their requests professionally and maintain a positive relationship? Any advice, best practices, or insights would be greatly appreciated!

Replies

Zoya Shah
Handling bug bounty requests involves a structured process: acknowledge the report promptly, validate the issue, prioritize based on severity, and communicate transparently with the reporter. Offer rewards as per your program's guidelines and ensure timely fixes. Promote your brand with tote bags, ideal for giveaways and events. These eco-friendly bags provide great utility while keeping your brand visible. Choose tote bags for an impactful, sustainable marketing solution.
Sukumar
Got a bug report? We’ll investigate and sort it out, keeping you informed.
Annie Engelhardth
When I get bug bounty requests, I assess the impact of the vulnerability to decide on the reward. I’ve found that offering a range based on the issue's severity works best.
Share
Marc Chia
Rewards can be all over the place, but here are some things to think about: How bad is the bug? Serious issues (like ones that let someone take over your system) should get a bigger reward than minor ones (like info leaks). Also it depends on the impact on your business. Lastly it will vary depending on where you are located. Bounties can vary a lot depending on where you are based. Here are some ballpark figures: Low severity: $50 - $200 Medium severity: $200 - $1,000 High severity: $1,000 - $10,000 Critical severity: $10,000+ Comms-wise I think its the standard be polite but firm. I think it doesn't hurt to be friendly but also say no if the price is too high. always useful to build a contact for assistance in the longer term if you find someone you can trust.
Share
Samantha Den
Reward should reflect the bug’s potential damage. Regular updates and respectful responses are crucial.
Steve Troy
Offer varying rewards based on bug complexity. Keep communication clear and professional, appreciating their findings.