Bug bounty.. or was it beg bounty / 2022-12-22

2022-12-22 Bug bounty.. or was it beg bounty
In August 2022 I received a report of a cross-site scripting vulnerability in The Virtual Bookcase and the reporter of the vulnerability never replied after I told him there was no financial reward for reporting bugs.

In November the bug report became public at openbugbounty: virtualbookcase.com Cross Site Scripting Vulnerability Report ID: OBB-2858037 - Open Bug Bounty so this confirms my theory of what the vulnerability was. Which I have fixed, but this isn't visible at openbugbounty.

In this case the vulnerability wasn't severe and with the little amount of information I had from the report plus the access logs I was able to fix it. But in other cases the vulnerability may be more complex and the site-owner who deals with a report like this can't just analyze the logfiles to get an idea of where the vulnerability might be.

I don't think the world becomes a safer place if information about vulnerabilities is only available if you pay for it.

The About the Project of the Open Bug Bounty project seems to promote actual 'bounty':
A website owner can express a gratitude to a researcher for reporting vulnerability in a way s/he considers the most appropriate and proportional to the researcher's efforts and help.

As a matter of example, Google pays from $7,500 to $100 per XSS vulnerability submitted by security researchers. But Google is Google, you may adjust your remuneration range to any amounts comfortable for you.
At the same time demanding a bounty before disclosing the bug is not ok on this platform. From the same 'About' page:
We always encourage the researchers to be respectful, responsive and polite, to provide website owners with all reasonable help and assistance.

If a researcher violates the enacted standards of ethics and good faith including but not limited to:
  • demanding remuneration to delete a submission
  • demanding remuneration to disclose vulnerability details
such submissions will be immediately deleted from our platform.
I hope the next vulnerability disclosure causes less irritation.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.008043 seconds.