p/general Share and discuss tech, products, business, startups, or product recommendations

How do you handle bug bounty requests?

Recently, we've received several emails from individuals claiming to have found vulnerabilities on our website and requesting a reward, typically in the form of a cash bounty. Some of these vulnerabilities are ones we were already aware of, while others are new to us. Have you encountered similar situations? Here are a few questions we're grappling with: 1. What is a reasonable reward for such findings? We're curious about the range of bounties others are offering. How do you determine the amount? 2. How do you manage communication with these individuals? What's the best way to handle their requests professionally and maintain a positive relationship? Any advice, best practices, or insights would be greatly appreciated!

9mo ago

4 views

Replies

Best

Marc Chia

Rewards can be all over the place, but here are some things to think about: How bad is the bug? Serious issues (like ones that let someone take over your system) should get a bigger reward than minor ones (like info leaks). Also it depends on the impact on your business. Lastly it will vary depending on where you are located. Bounties can vary a lot depending on where you are based. Here are some ballpark figures: Low severity: $50 - $200 Medium severity: $200 - $1,000 High severity: $1,000 - $10,000 Critical severity: $10,000+ Comms-wise I think its the standard be polite but firm. I think it doesn't hurt to be friendly but also say no if the price is too high. always useful to build a contact for assistance in the longer term if you find someone you can trust.

Report

9mo ago