> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.

When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"

Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.

I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

Now I wished I would've abused it and blogged about it for the resume.

I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

If you can exploit it to make economic damage, would that count as a security bug?

Taken to logical extreme, that would make any black PR or reputational attack a security vulnerability.

Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.

I'd say it's a bug, but not a security bug.

Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.

You can still blog about it.

I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.

Their number one source of revenue (search engine results page) could be defaced.

Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"

Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."

No to mention in this case you’re likely giving up disclosure for under $10k before taxes

or just tell you "what bug? lol that never happened..."

Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.

That's how we got here. This is the word

But is it a fact, or just rumor?

It is fairly well known that certain large companies are really stingy.

I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.

On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.

Well, the question was why someone wouldn't use the company's disclosure program, so that's the point.

Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.

There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.

The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.

Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.

> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access

It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.

Exactly, this was the bug bounty