Somehow I didn’t see the Soatok vs. Bugcrowd story (https://twitter.com/SoatokDhole/status/1536765180645974016) when it happened. Frankly, it doesn’t surprise me the least. Bug bounty platforms currently have two goals:
1. Reduce the effort for vendors
2. Reduce PR damage from disclosures
Keeping vendor’s customers secure is not on the list.
The first one means that vulnerability reports usually aren’t handled by developers but rather by staff of the bug bounty platform who have no deeper knowledge of the product. Hence they must rely on researcher to exactly prove the impact, ideally via a proof of concept.
This is great for the company, they have to “waste” less developer time on handling security reports. Instead this approach shifts the burden onto security researchers. But hey, they are being paid for it, right?
The customers are the ones losing out of course. Bug bounty platforms disincentivize reporting issues which might be considered minor. They also disincentivize reporting out of the box issues. So bug bounty reports will concentrate on obvious targets. https://palant.info/2017/10/04/observations-on-managed-bug-bounty-programs/
And of course bug bounty platforms will retaliate against “unauthorized” disclosure. Their customer is the vendor after all, and they hired them to avoid bad PR. The vendor doesn’t like being called out if they dismiss a valid vulnerability or take years to fix.
For reference: these are largely the reasons why I stopped using bug bounty platforms years ago. I do security research with the goal of making users more secure. For that I need to evaluate the entire attack surface, and disclosure deadlines aren’t optional either.
A Mastodon instance for info/cyber security-minded people.