
Ask HN: Are bug bounties leading to bad outcomes? - eterm
More frequently I see bug bounty programs which list whole swathes of issues as &quot;out of scope&quot;, even including things such as CSRF (not just <i>logout</i> CSRF (which is mostly harmless) but <i>all</i> CSRF).<p>Also, you see issues which are marked &quot;duplicate&quot; where the original was from months prior. This suggests that reports, even when accepted, are left unfixed.<p>Meanwhile a budget for bug bounties will I suspect reduce the budget for other methods such as traditional penetration testing which could lead to a cheapening effect on that sector too.<p>Are bug bounties leading to a false sense of security as participation widens, or do you consider them still a massive improvement over what came before?
======
Eridrus
They're just a tool. You can use them wisely or you can use them poorly. They
can be an incredibly useful additional set of eyes if you've already done the
basics, or you could get flooded with piles of issues that anyone could have
found.

I used to work in sec consulting a decade ago and it was a shitshow, clients
wouldn't have credentials ready when you were meant to start testing (but
they'd still get billed), we were told to scope pentests to IPs with no
listening services, management would downgrade risks because we couldn't
identify a new high risk issue since we'd already tested the same application
last year and the previous consultants hadn't found the problem, we'd get
asked to review 10m LoC applications in 5 days based on just the source code,
clients would ignore our recommendations and try to convince us that their
dumb ideas were secure because they were easier to implement, despite being
completely broken, I once had to listen to a client tell me that email didn't
use TCP but rather it "just sent it", etc.

Our CEO once gave a presentation to the entire company where he said that the
reason our clients liked us wasn't that we were good, which he said was
entirely irrelevant, but that we didn't call them on their bullshit.

Not to say that _every_ engagement was a waste of everyone's time and money,
but you can mismanage a pentest just as easily as you mismanage a bug bounty.

------
twunde
Bug bounties are fine, but the problem is that I think a lot of companies are
unprepared for the amount of time and resources that they require. I think
that it's more cost effective to do pentesting at first

