
Ask HN: Pricing a Bug Bounty/Security Disclosure? - thegrif
I&#x27;m hoping to harness the collective wisdom of the HN community in pricing the below find. Company is a well-established SaaS provider and assumes the security burden of safely handling large, raw data extracts from the CRM, e-commerce, marketing, and ERP systems of its customers.<p><i></i>Data At Risk<i></i><p>The  vulnerability exposed highly-sensitive data belonging to a <i>single</i> global Fortune 500 client. This included:<p>* a transaction-level feed of customer purchases
* 360-degree lifetime customer value across each line of business
* performance of marketing tactics and advertising channels used to drive purchasing habits
* fine-grained details into the performance of focused market segments.<p>The dataset spans several years. It was preprocessed to remove PII&#x2F;SPI and includes no information that could be used to tie purchase data back to an individual person.<p>The exposed information holds little to no value to the general public.<p>That said, it would be extremely valuable to related companies and the agencies working on their behalf. It is an extremely competitive industry with razor-thin margins. Even small improvements in the efficiency of customer acquisition and sales programs can move the needle.<p>Finally, an adversary can easily modify this data and the rules used during reporting - thereby skewing results and possibly resulting in large-scale misappropriation of marketing spend.<p><i></i>Control of Underlying Infrastructure<i></i><p>The vulnerability also exposed:<p>* unfettered access to scaling controls tied to the number and type of EC2 instances powering the underlying platform
* method to place and subsequently execute malicious code on said instances<p>CVSS base score is a 9.4: http:&#x2F;&#x2F;bit.ly&#x2F;328WOXl
======
TheCrott
Are they have bug bounty program? If they don't have and you are not hacking
with their permission, you are doing illegal hacking so they can take legal
actions against you, although your finding is valid.

