Are you submitting bugs for free when others are being paid? Welcome to BugBounties!

Hi there!

I’ve been doing bugbounties since 2015 and whilst it started off fun, it’s really taking it’s toll on me and I have to say: i’m fed up. And i’m not the only one.

All we want to do is work with companies to help them secure their assets and for it to be a fair & fun environment for both parties. Platforms are ruining this and destroying their researchers. We are meant to trust Platforms, but everyday that trust with researchers is getting thinner & thinner when they allow companies to effectively scam researchers out of our time in the hopes of getting paid.

Seriously though, have you ever submitted to a VDP? Chances are that company has a secret program which pays. Most people new to bugbounties are told, “Go and work on the public programs to build your rep and then you’ll get private invites!”. You are literally busting your ass off for free when the “oldschoolers” are all in the same program w/ same scope, but getting paid! When I first started I did not have to prove myself by submitting bugs for free. This is not a fair system and I hate that I am apart of it. I hate seeing people submitting bugs for free when i’m in the private program and I sit there like… “Wow, this isn’t fair!”. But little ole me can’t do anything because everytime I speak up I just get silenced from platforms/programs. So because i’m outing sh!tty behaviour, I get punished. What a world we live in!

What’s stopping me from looking at disclosed bugs on the VDP, trying to break the patch and then submitting it to the paying program? I’d get paid from someone elses research. I actually saw someone report a cool bug to a VDP last month and messaged a few of my friends. The researcher could have got paid up to $20,000 but they had no idea. Instead they received some rep. I bet they’re thrilled. They were hacking to get rep to earn money (because remember, this is the motto of platforms: More bugs, more rep, more priv paying invites!), yet the opportunity was right there. They just didn’t know.

I confirm with one researcher, same scope, one pays, the other doesn’t.

I reached out to one platform to ask them why they were allowing a certain company to run a VDP and a private program. This was the response:

Wait, what? So this platform is allowing this company to use a VDP to “recruit” hackers into their private paying super duper top secret VIP pros only program. Isn’t that why platforms stats exist? To prove our “worthyness”? You’re telling me my impact and severity means NOTHING? Can we re-think this one? Create a CTF or something. Stop taking bugs for free to “maybe” recruit people into your paying program. Chances are after you’ve ran a VDP for 6months you’ll start paying publicly anyway. Yeah, companies do that.

Interested by that reply and wondering what the wording would be like in the policy for ‘recruiting’ hackers and thinking what others would think, I went to check the policy in detail. It says NOTHING in the VDP program policy that if you do “well” you will be invited to their private program. Surprise surprise.

This means you may submit bugs for free for 3months and STILL not get an invite.. bye bye 3months of work. I get it, “i don’t care about getting paid, I just do it for fun in spare time”. Sure.. but yet JoeBloggs over there is tweeting how he’s earnt $10k. (Let’s not forget platforms ENCOURAGE you to tweet about how much you’ve earnt! And let’s face it, bugbounties has become a cashgrab because people are seeing huge numbers for what sometimes look like simple to find bugs). Bet your happy for this researcher, but you may of submitted a bug for free to the very same program which was eligible for a nice payout too. That’s a nice 2 week holiday for something you do in your “spare time”. Who wouldn’t want that? But mainly, why did one researcher deserve it and another didn’t?

Want another example? Researcher 8ayac submitted a few High bugs to GitLab and received absolutely nothing, yet in the hacktivity I could see people getting paid. How is this fair? Just because someone is new to bugbounties/hackerone, they are to be punished and hack for free? Can you see where this “elite crowd” is coming from? THE SAME PEOPLE ARE IN THE VIP PROGRAMS!

I reached out to the researcher to see if he knew.

That last part is one reason why I am writing this post. To stick up for others and to become a voice & expose the shitty behaviour ongoing with some companies & platforms.

The current model for bugbounties seems to be the longer you’ve been doing them, and the more people you know, the better you do. Nothing to do with your hacking skills at all. Seriously. Some familiar names on that list huh?

8ayac would of received around $17,000 in total had he of been in the VIP program. What qualified to get into this program? certainly not impressing them with good reports it seems. And would 8ayac ever of known if not for the good will of researchers talking? But what did he get instead? Nothing. All because he is new and doesn’t have much rep. Guess rep = hacking skills. (/sarcasm).

He even asked them about payments. You’d of thought GitLab could see he is reporting some really cool bugs with impact and would want to work with him more more closely and encourage him to look further (their policy even says GitLab is committed to working with security experts across the globe to stay up to date with the latest security techniques ). But nope because he isn’t apart of the VIP group and is seen as a newbie, companies are okay for him to use his time for free. Free pentest, why not?! Whats the researcher going to do? Cry on Twitter? The company is in full control & doesn’t care. Any problems and the company will have you silenced, like I have been in the past. Companies > researchers.

But hang on here.. WE’RE the product and you want to rely on US looking at your stuff continuously. This is totally taking advantage of the good will of some people.

How can I advise people new to bugbounties where to start if i’m literally sending them to waste their time when others are being paid. Time is the currency of life and lost time can’t be replaced.

So what can be done? I’m afraid I don’t know. But I know that bugbounties are overhyped and not sustainable. And if you are new, good LUCK! Seriously. This place is super crowded. I don’t recommend anyone does this full time and bugbounties should only be treated as a side hobby in my opinion.

I personally hope to get out of doing bugbounties full time by the end of this year. Where to? Who knows. But one things for sure: us researchers need to look after each other because simply put, no-one else is, we’re on our own out here! ❤

  • zseano

UPDATE FROM GITLAB

GitLab commented the following:

“As an update: The hacker reported some valid vulnerabilities during a time where GitLab was only running a private bug bounty program with limited scope and not offering monetary rewards for the public vulnerability disclosure program, with a much broader scope. By hacking on the HackerOne platform and submitting valid vulnerabilities, hackers earn reputation points, which can earn them invites to private programs. The hacker at the time didn’t meet the reputation requirements for an invite to the private bug bounty program.

We were and are so grateful for all the hackers that participated in our public vulnerability disclosure program and actively encourage them to participate in GitLab’s public bug bounty program that launched in mid December 2018, which offers monetary rewards for all valid submissions.”