
How we run our bug bounty program - leifdreizler
https://segment.com/blog/bug-bounty-at-segment/
======
chabad360
_" All of our most critical submissions have come from researchers that were
originally rewarded for a well-written duplicate."_

I think that's a key line that should have been added to the top tips.

~~~
leifdreizler
Thanks for reading my blog. I tried to keep the "top tips" short and thought
this was partially captured via

\- Pay for anything that brings value \- Pay extra for well-written reports,
even if they’re dupes

with the hopes that if someone saw this and wanted to read more they'd skim
through the blog :)

~~~
TheCrott
I have question to your bug bounty program. What's the best way to reach you?

~~~
leifdreizler
@leifdreizler on twitter! LinkedIn is also fine but I don't check it as
regularly

------
devmunchies
Not a segment specific question, but if I discover a bug while working on a
task for my employer, will that bounty be discounted off the bill or will it
go to me directly? what's typical?

~~~
tptacek
It's best-practice to get permission from your employer to submit bugs you
discover on their time to bounty services, and then for you to collect the
entire bounty. It's common for people just to quietly submit bounties; I
wouldn't, but then I work in a field where it's a big deal to disclose on-the-
job findings. You might not.

