
Bug Bounty, two years in - amitku
https://blog.twitter.com/2016/bug-bounty-2-years-in
======
paulpauper
my experience with bug bounties

Me: here is a bug

Them: it's a feature, not a bug [fixes feature]

~~~
busterarm
Or in my case recently with trying to get HubSpot to support PRURLs:

Me: Here is a bug. Your implementation does X when the specification says that
it should do Y. Here is the RFC and the relevant sections explaining how it
should work [link].

Them: This isn't a bug. Reference to some other popular piece of unrelated
software that also has a faulty URL implementation. Half-assed apology for
creating an un-resolvable problem for you while implying that you're an idiot
at the same time.

Side-note: Please, everyone stop writing your javascript URL validation with
checks for "http(s)"

~~~
cmdrfred
I never knew about PRURLS. I will do ask you suggest.

------
danjc
So they've paid out $300k in two years? That sounds appallingly low and surely
unappealing for anyone bug hunting professionally.

~~~
JoachimSchipper
Bug bounties are basically not designed to lure in security experts who live
in a first-world country and who already have established a reputation.

~~~
paxcoder
It's crowdsourcing, and for-profit crowdsourcing is pretty much exploitative
by definition.

