tag:blogger.com,1999:blog-8601133831815091251.post5064009220353205757..comments2024-01-16T18:34:26.259+00:00Comments on Skeleton Scribe: Reviewing bug bounties - a hacker's perspectiveJames Kettlehttp://www.blogger.com/profile/03270155456684307605noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8601133831815091251.post-23020643753448330032018-03-03T05:45:32.516+00:002018-03-03T05:45:32.516+00:00Just saying thanks wouldn’t just be enough, for th...Just saying thanks wouldn’t just be enough, for the fantastic fluency in your writing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8601133831815091251.post-89501981351564189402016-08-14T06:17:08.762+01:002016-08-14T06:17:08.762+01:00I work at ZipRecruiter and we use HackerOne. As o...I work at ZipRecruiter and we use HackerOne. As one of the people who receives vulnerability reports, I can say that maybe the reason HackerOne companies are sometimes black holes is that everything is done by email, and EVERY EVENT (comment, change in status, new report, etc) creates a new email, which ends up meaning they get filtered or ignored. Just my experience.fREWhttps://www.blogger.com/profile/13153816435895384947noreply@blogger.comtag:blogger.com,1999:blog-8601133831815091251.post-84745826413623157552016-08-12T18:02:58.115+01:002016-08-12T18:02:58.115+01:00Hi, great follow up...in my opinion given that the...Hi, great follow up...in my opinion given that the company managed the program itself it will then have some overhead to manage the program, maintain contact with community for reporting and payouts, provide the platform to do that and hence they might spend more than the 20% charged by the platform. Each company has a budget when launching bug bounties so what they award to the security researchers + running costs is considered. Indeed there might be some cases where companies are excellent in managing the bug bounty program and they save money which would go in the hands of the security researchers but I think the most likely scenario that they will hire in-house staff and invest in infrastructure which is more costy.<br />So in conclusion, until we get to the point where there is enough maturity in this field, the current approach is the most plausible approach to maintain engagement for security researchers, platforms, and vendors. <br /><br />MortyMortyhttps://twitter.com/morty_albannanoreply@blogger.comtag:blogger.com,1999:blog-8601133831815091251.post-47077162225401028922016-08-11T18:59:18.585+01:002016-08-11T18:59:18.585+01:00Hey James,
just wanted to reiterate my thanks for ...Hey James,<br />just wanted to reiterate my thanks for the article, really appreciate the insights! I reached out on Twitter about your thoughts on Cobalt.io taking a percentage from the bounty hunter, which sparked a mini conversation between you, myself, Jobert Abma and Mongo.<br /><br />My original question was how do you feel about Cobalt taking a percentage of bounties paid from a researcher. I agree with your response that taking a percentage is fine as long as the platforms provide value and there is enough left over for the hackers. You also flagged that HackerOne collects 20% of the bounty paid which Jobert clarified is on top of the bounty paid to the hacker (i.e., $500 bounty paid to a hacker is taken home by that hacker, HackerOne then charges the program $100, or 20%).<br /><br />To that end, either way, bug bounty platforms are collecting money from the programs / sites who are inviting hackers (i.e., Uber, Dropbox Codepen, etc) which arguably would go into the hands of hackers if they didn't. The difference between the approaches is where that money comes from (i.e., bounty paid or additional charge to the program) and how that is perceived. Now, that said, without the platforms, it's likely there would not be as many bounty programs for people to work on. This isn't meant to imply programs are hurting hackers. I think they are a fundamental piece of the broader bug bounty ecosystem.<br /><br />Additionally, Mongo did suggest the possibility of alternatives to a percentage charged. To that, Jobert made a great point that that process incentivizes HackerOne to support and encourage the hacking community. However, in my opinion, that might be a bit of a slippery slope as, if it were a flat fee and hackers took home more, that additional money earned would also incentivize hackers to improve/learn/etc.<br /><br />In contrast, I think the argument for maintaining a percentage earned by HackerOne is the value added to the community. Lowering the 20% or competing on fees may encourage a race to the bottom among platforms, which I think would have more severe, negative impacts on the bounty ecosystem that hackers sharing some of the revenue.<br /><br />Anyways, hope others find this convo as interesting as I did. Additional thanks to Mongo / Jobert for a thought provoking convo. If I got any of it wrong, would be open to corrections :)<br /><br />pete<br /><br />yaworskhttps://twitter.com/yaworsknoreply@blogger.com