9
10 Comments

Someone submitted a bug, we fixed it, he "asked" for a reward

We don't have a bug bounty program., but we do have a form to submit bugs. Someone submitted a bug, it took me a little while to sort out what they were referring too, but basically our site could be embedded in an iFrame and open to click jacking.

We fixed resolved the issue, I sent a thank you email, he responded saying a "reward" would be appreciated. I have no idea how to respond. Because as a developer I agree, and would love to offer him some token of appreciation for his diligence. But we don't have a bug bounty, and we're operating at a loss, even $25 seems like a stretch, I'm struggling a bit managing finances at the moment.

Any suggestions of how to handle this or how to respond?

  1. 5

    Create a HALL OF FAME page....and add him to that page
    E.g.
    https://postimages.org/about
    https://bugbounty.paytm.com/#hof

    Also inform him that you dont have a bug bounty program but would love to add his name to the hall of fame page and ask for his permission and link to his twitter/fb page.

  2. 5

    If its a customer, chances are they will be happy with the product working now.
    Or if not, give them 1 month free.

    But guessing its not a client, its a white hat (hopefully) security tester.
    This type of "bug" suggests that, it's not a bug technically, its a possible although unlikely (risk increases with your apps popularity/exposure) security weakness.
    In that case I would (and have previously) notify them than unfortunately you don't operate a bug bounty program at the moment and are unable to afford to, but you will keep their details and notify and reward them when you are able to start such a program.

    1. 2

      Agreed with @awcode, I would offer him 1 month free. If he is not your customer, you can convert him as a customer. If he is your customer, he gets to use your service for free for a 1 month.

  3. 4

    You don't have any obligations, so alternatives are:

    1. Politely decline
    2. Pay a reasonable market-price bounty for a similar company size / similar bug severity
    3. Find a way to reward him and not paying money right now. You can say that you can give him a significant discount or pay $X later. As soon as your company's monthly profit would reach at least $5X.
  4. 3

    Is this person a client of yours?
    Can you offer a discount on your product?

    Of you can't, then it's just a matter of explaining why you can't accept their request in a way that feels right.

    Be honest: "unfortunately we don't have a bug bounty program right now, and all revenues are headed towards developing the company. Thank you again for your help"?
    (or something well written, English is not my mother tongue, so ... Don't trust me)

  5. 2

    Just for context: that click jacking vulnerability is a very simple HTTP header check on their part. Knowing that many companies will offer some reward if asked, beginning researchers will try to find any company that appears to have some bug reporting mechanism and scan for that one missing header.

    If for someone reports XSS or SQLi (more critical security issues), you should probably reconsider an actual reward.

    But in this case, explain that you are a small company and don't have the resources for bug bounties. If you have slightly more resources, offer to send some swag (T-shirt, etc.).

    If you want to show that you have good security posture (and invite more reports that will improve your security), definitely do the hall of fame that others have suggested. Also add a responsible disclosure policy to your site. Just a heads up: more people will submit vulnerabilities, not all of them will be valid, sorting through them will take time.

    Incidentally this is why bug bounty platforms charge money to do triage for you.

    Disclaimer: I do a lot of freelance work for a bug bounty platform (zerocopter.com).

  6. 2

    Ask for house address or po box, take a carton box and pack some local sweets/snacks and send it to them 🥰
    Edit: postcard would be nice as well!

  7. 2

    if you have swag just send him one

  8. 1

    I have a security policy that says how to report vulnerabilities but nothing about a bounty. A bit after putting that on my site with other legal policies, I started getting a lot of these kinds of emails (half or more of which weren't even actual issues).

    I paid a small amount to a few that had legitimate (but small) vulnerability reports which I fixed. But then I realized I couldn't keep paying so I started simply saying that I have no bug bounty program.

    A hall of fame page is a pretty good idea too. It's at least some compensation since they already told you the issue.

  9. 1

    Once someone reported a vulnerability in my product and he said that any reward would be appreciated. I did give him 20 euros as the vulnerability was something the needed to be fixed. It looked like he was doing this for a living (choose a product, find vulnerabilites, report them), like doing bounty hunting but not necessarily for companies that have a bug/vulnerability bounty hunting program.

    I know it was not much, but I think he appreciated it nonetheless.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 17 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments