Top 5 Red Flags of Bug Bounty Program
The best bug bounty hunters are not only hard-working people, but they also exhibit immense dedication, persistence, and patience. More importantly, they possess the critical skill of selecting the right program. Time is a hunter’s most valuable asset, and it shouldn’t be wasted on undeserving programs.
Recognizing the variety of targets, assessing different platforms, and selecting the appropriate program based on your abilities and interests can make a significant difference in bug hunting success. In this article, we’ll explore the Top 5 Red Flags what some Bug Bounty Programs have, which you should pay extra attention on.
🚩#1: VDP or Low Payouts
Vulnerability Disclosure Programs or low bounty programs are a good thing to test your automation on, practice and develop your hacking skills. Since there should be less competition and fewer bugs found by other hunters, you could consider it as a playground before you go on more serious targets. If you consider on doing bug bounty full time, you don’t want to put a lot of effort here. Just spend a couple of days, practicing the new things that you have to learned or if you can test a new tool, but nothing more than that!
The time is your most valuable asset, and top tier hunters do not waste it much on VDPs or low payout programs. You should focus your most time and energy on quality programs that respect researchers. For example, there are some huge corporations with multiple billions of revenue a year which have VDP instead of BBP. Why should they care much about security if they are not even considering 0.001% of their revenue for their company security? Maybe it’s a controversial opinion, but they are damaging their own reputation by not acknowledging security research.
Let’s be honest, most of us are here for bounties and improving security of the internet is just an end result of it but not a true purpose why are we here.
🚩#2: Low Average Payout
In my opinion, this says a lot about on how generous they are towards researchers. Even though, bounty payments are declared pretty high, you won’t know program owner’s attitude towards payout until you submit your first bug. Keep in mind that some programs use this as their marketing gimmick to attract a crowd. In reality, there are some cases when P1 and P2 bugs are marked as P3, and P3 and P4 will be deescalated as well to informational which are not paid at all! So it does not mean that if you find a Critical bug, you should expect to get 5k or any other high payout for it.
If the program is pretty old and their average payout is the same as the lowest bounty, it should instantly ring a bell! On the other hand, it could also be an indication that they haven’t got a serious bug for a while, but still you should keep those program statistics in mind before you start engaging with their targets.
🚩#3: Lengthy Response/Triage Times
Some might say that patience is a virtue, but in the world of Bug Bounties this is just partly true. Lingering too long for responses can undercut your productivity. While some elite hunters advocate for a set and forget approach, there are situations that might disrupt your workflow. Let’s delve into a few:
Scenario #1: After testing a product, submitting the finding, you will get the response after one month. By then, you might have moved on from that specific task and forgotten some key details. If your proof of concept involves a complicated setup, revisiting it after a significant time gap can be tiresome.
Scenario #2: Say you discover a vulnerability in a paid product. The validation process stretches over two months. By the time they confirm the issue, you might have to repurchase the product or service to verify the fix, incurring additional costs.
Scenario #3: You uncover a critical bug and, anticipating a substantial reward, you’re overcome with “Bug Fever”. However, a month later, the team responds, informing you that your discovery is a duplicate.
🚩#4: Lack of Transparency
Security researchers and dedicated program team members must operate with trust and transparency. Regrettably, there have been increasing concerns regarding the lack of transparency from some bug bounty triage teams. Let’s take a look into some cases where triage teams are abusing their power:
Case #1: The team members avoid explaining on how rewards are distributed. For instance, two researchers might report similar vulnerabilities but receive vastly different bounties without a clear rationale. Such discrepancies can hint at favoritism or a lack of clear evaluation criteria.
Case #2: The marking as duplicate can be misused without extra explanation. Some triage teams might prematurely mark submissions as duplicates to avoid paying bounties. In some cases, the team may not provide any screenshots or reasoning behind such decisions, leaving researchers feeling unfairly dismissed.
Case #3: As mentioned before, the triage team may deliberately minimize the seriousness of a reported vulnerability to decrease the reward. In cases like this, the program owners could avoid explaining the hunter their threat model, on why they have made this decision.
🚩#5: Too Many Things are Out of Scope
Organizations have unique threat modeling and want to focus on specific areas, but excessively narrowing the scope can be overwhelming. There are a couple of things you should pay special attention when reading an Out-of-Scope area:
- To Many Vulnerability Types. If the program only expects the certain types of vulnerabilities, this might raise some concern to you as a researcher. For instance, if you are good at finding XSS, CSRF and other client-side issues, there are some programs what only expect server-side issues. When much is out of scope, researchers might feel their skills and time are undervalued, leading to decreased participation. It’s better to find six $500 medium XSS bugs sometimes, than one $5000 critical RCE.
- Ruling out 0-day vulnerabilities. These types of vulnerabilities are among the most critical threats. The companies should value the time and effort made by the researchers dedicated to find those problems. It will usually greatly impact the customers and the business, so in this case the researcher should be acknowledged properly, even though there is no solution to the issue yet! If a company’s policy mentions that they won’t reward for CVEs known for 45 days, it’s a good indication to reconsider participating in that program!
The key takeaways
- Top bug bounty hunters carefully choose programs that respect their skills and efforts.
- VDPs can be seen as playgrounds for learning, but not for long term bug hunting.
- A low average payout can signal a program’s attitude towards fair compensation.
- Extended wait times for responses can negatively affect a researcher’s workflow.
- Trust and transparency between researchers and programs are crucial.
- Overly restrictive scopes should discourage participation.
Subscribe to my page to not miss any upcoming stories. I am active on Twitter, check out some content I post there daily! If you are interested in video content, check my YouTube. Also, if you want to reach me personally, you can visit my Discord server. Cheers!
References
- William Wallace tweet: https://twitter.com/phyr3wall/status/1604561643249504256
- Nathaniel tweet: https://twitter.com/nnwakelam/status/1398148107553050625
- Ben Sadeghipour tweet: https://twitter.com/NahamSec/status/1703802642504577357/
Bug bounty memes tweet: https://twitter.com/bugbounty_memes/status/1703866760133320739 - XSS Out of Scope meme: https://in.pinterest.com/pin/471892867210056229/
