After finding a vulnerability in a program, one can submit it to a bounty progra

Question

After finding a vulnerability in a program, one can submit it to a bounty program, such as ZDI. According to ZDI's website, they will examine the vulnerability and possibly offers a bounty. If the researcher does not accept the offer, they promise not to use the vulnerability information. However, I guess some people might not completely trust the bounty program and would like to provide limited information in their submission.

My question is, what is the general practice for providing information to/negotiate with a bounty program? I am thinking about providing software version, OS version, general description of the vulnerability and some proof, such as the info at crash and analyze results by tools like !exploitable Crash Analyzer. However, although the bounty program such as ZDI encourages the researcher to submit a PoC, the PoC will basically disclose the vulnerability entirely. Thus, the PoC will not be included at least in the initial submission.

Please provide your answers and comments regarding this issue. Thank you!

Explanation / Answer

Generally with bounty programs, the more information you can provide, the more likely they are to pay out the bounty. Unfortunately, the quality of many of the exploits submitted can be very low - for instance, I know of a bounty program for a website that frequently receives warnings that javascript was viewable in the user's web browser.

So, best advice assuming you have no reason to keep the vulnerability secret, submit the PoC and as much information as possible to maximize the possibility of payout.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.