
Ask HN: Security Vulnerability Rewards - shivang
Hi,<p>You are working on a product and the product is still in the beta stage, and someone out of the blue sends an email to you that your site has these security vulnerabilities(valid ones) and asks for rewards in return.<p>Has anyone faced this kind of situations? We are willing to give him the reward, but being in beta stage, we are still not sure as to what and how much we should reward him.
======
dsacco
Speaking as a security consultant - don't give a reward. What they did is
technically illegal and not in the spirit of security testing.

If someone finds a vulnerability accidentally (I've done this before), they
won't ask for a reward if they are professional and the company has no bug
bounty. It's reasonable to tell a company out of respect - it's unreasonable
to ask for payment, that implies almost a ransom and will encourage more of
it.

There is a problem with bug bounties these days in that they attract a lot of
people desperate to get into the InfoSec industry who don't necessarily know
what they're doing and have no professionalism (see @CluelessSec for example.)
Don't encourage it by giving a reward.

Cold calling (or emailing) companies to solicit penetration testing is okay,
casing the company for vulnerabilities and asking for payment is not. I do
suggest you find someone to do a solid penetration test of your company
however just out of principle.

~~~
shivang
@dsacco, thanks for a very clear direction where i should go. Did the same
thing, Fixed the problems and thanked the guy :)

Thanks a lot for the answer.

------
debacle
A startup I worked for encountered this "unsolicited penetration testing."

If you offer them a reward or recognition, you are going to see many more
vulnerabilities being reported to you. You are going to start seeing port
scans on your machines and all sort of scraping looking for vulnerabilities.
Some security vigilante is going to take down your service in the middle of
the day with an overly aggressive script.

The best course of action is to fix the vulnerabilities, thank them for their
contribution (in that order), and say nothing more. You don't have the time to
manage a bug bounty program right now, and by giving them recognition or
reward you are in effect starting an ad hoc bug bounty program.

~~~
shivang
Thanks a lot for the answer. We are doing the same thing as you have
mentioned.

This is an unnecessary distraction though at this point of time :)

------
sarciszewski
You should probably take the time to think about how you're writing your
software soon, and maybe consider the possibility of hiring a consultant to
audit your code before you ship.

Also, what debacle said.

