Bug Bounty Programs: Why it’s considered a hassle and what you can do about it
Disclosure and bug bounty programs could sometimes be a double-edged sword. These services could help you avoid the hassle of contacting a vendor and negotiating for a reward which could take a few weeks just waiting for a response. But these programs might also turn you down completely, as they can be pretty picky — making you handle the entire process by yourself.
As mentioned in one of our previous articles, bug bounty programs keep popping up, but the question remains. Are these programs worth the hassle, and do they deliver on their promises?
Over the past two decades, bug bounty programs have become more and more prevalent in the tech community. The process of finding vulnerabilities, disclosing them to the vendor, providing a fix, and finally publishing the vulnerability to the public, along with a CVE, became just another part of keeping the online ecosystem secured.
The Bug Bounty Hassle
Lately, security researchers have started raising some doubts regarding this process. Many researchers feel that their work isn’t being appreciated by vendors, with long waits for receiving the payout they deserve and sometimes not receiving payouts at all. Vendors sometimes provide simple excuses to dismiss the researchers and, a lot of the time, ignore them completely.
Even in cases where the vendor responded to your disclosure, a vendor might still disappoint you. A vendor might ask that you don’t publish your findings, possibly under legal threat.
The experience isn’t always this complex, but vendors keeping you hanging for long periods before telling you if they accept the vulnerability you submitted can still be quite frustrating. Sometimes, vendors accept your submission only to cancel it at the last minute or provide only a tiny amount of the promised bounty.
The excuses can range from these products are no longer in use to this flaw is already known and would be fixed.
An Alternative Solution
These issues make more and more security researchers move from vendor’s bug bounty programs to broker disclosure services that handle the vulnerability disclosure process. These brokers represent the security researchers before the vendor and ensure they receive the payout and credit they deserve with zero hassle.
These services result in industry growth and higher payouts for unique findings, also protecting security researchers in the process.
SSD helps researchers disclose vulnerabilities affecting major operating systems, software, or devices. SSD serves as a hub for researchers to keep and explore their scope of interest, submit their findings, and be rewarded as they always did.
If you also want to avoid the hassle of bug bounty programs, get in touch, disclose your findings and enjoy discreet, quick handling, and generous rewards.
