Monday, April 17, 2023

Always check for a bounty program beforehand

from here and here

I'm not saying there's anything wrong with wanting something in return for your efforts, but be honest about your motivations and be more curious about how that process works. Don't just assume everyone hands out bug bounties, because they don't, and if the company in question doesn't then it's best to not even mention it.

Frankly, when you approach a company with a report that mentions a deadline to act and payment they never agreed to, quite a few are going to interpret it as some sort of shakedown or blackmail. One of the best indicators that a company won't do that is if they do in fact have a documented bug bounty program.