Rant about how @Bugcrowd and @Hacker0x01 setup their platforms to let vendors who host private programs abuse researchers. Entirely based on a true story with @Bugcrowd in my case. This is for my #bugbounty friends out there. 1/n
Let's say you are a researcher invited to a private program. You spend 10-20 hours looking for vulnerabilities and you finally find one! You report it to the vendor and... they say it's not applicable. 2/n
You still think it's a serious vulnerability. You try to use the platform's "mediation" feature to work with the vendor. The problem? At the end of the day, the vendor has the final say on whether or not it's a vulnerability. 3/n
This means that if the vendor wanted to, they could stone wall a legitimate vulnerability in mediation and there is nothing you could do. At this point, you've wasted 20-30 hours on a single bug that isn't considered a vulnerability. 4/n
Since you're positive it's a security issue, you tell the platform you're going to publicly disclose this feature. But guess what? That's against the confidentiality agreement for the platform! 5/n
You might read this policy and see that it only covers actual vulnerabilities. You ask the platform why they are preventing you from disclosing a non-security issue and what do they do? They threaten to remove you from future invites and programs. 6/n 
This was a direct quote from a senior @Bugcrowd when I mentioned if mediation with the vendor was unsuccessful, I would disclose the issue the vendor themselves claim is not a vulnerability. 7/n
Why not let the public decide if it's actually a vulnerability? Why would they prevent you from talking about features? Ah, because they're "running a business" and "the process is what it is" (direct quotes)... 🤣 8/n
If the vendor says a reported bug is not a vulnerability, why do they have any claim over maintaining confidentiality on the non-issue? It's a feature, not a bug, according to the vendor. 9/n
It's not like you could warn other researchers. You can't even talk about the existence of private programs. There is quite literally no recourse for abusive vendors, because these confidentiality agreements are designed in a way to *always favor the vendor*. 10/n
What am I going to do in my case? I'm still trying to work it out with @Bugcrowd, but if we don't come to an agreement, I will be disclosing the issues I consider vulnerabilities that the vendor has said is not a bug. 11/n
It's very likely that @Bugcrowd will punish me and intentionally reduce the number of private programs I am invited to, but I don't stand for maliciously uncooperative vendors or the platforms that support them, even with threats against one of my income sources. 12/n
I don't typically like public shaming because I believe in trying to work collaboratively to make the system better for everyone. I have tried for *years* to internally resolve these unfair confidentiality agreements, but it's mostly been just talk from the platform-side. 13/n
To be completely fair, although I used my personal experiences with @Bugcrowd as an example, this same exact issue is present on @Hacker0x01 as well. Disagree? Tell me why! I'd love to hear your personal experiences or why you think I'm wrong. 14/14
• • •
Missing some Tweet in this thread? You can try to
force a refresh
