Here is some things I've recently been considering mainly as a bug bounty researcher of 3-4 years. I have also seen the perspective of how bugs are handled and triaged on the other side. I also want to share my own opinions of what I consider good or bad for the bug bounty community. My assumption is that everyone wants the Bug bounty model to continue growing as an industry. It would also be cool for them to change opinions and make responsible disclosure and rewards the bog standard for all internet connected systems or software. We are far from that yet.
Background Information: Some older, well known security folks in the community started complaining about a new Fiat Chrysler bug bounty having a top reward of $1500, there were then a few news articles doing the same. Poking fun at this program for having low rewards and even going as far as saying things like "pay peanuts get monkeys". Pretty cruel. A lot of us people who actually make a living from bug bounties see things a bit differently.
Many of these old pro's don't actively take part in bounty programs and are complaining about the reward prices because its nowhere near a level that is interesting to them, they obviously value their time at much higher rates as they have experience in the regular security industry. NEWSFLASH: Most companies can't afford to have experts in the security world test and fuzz their applications full time nor are there probably enough experts to actually cover all code in the regular old industry. Why the hell would we expect that from bug bounties when they are so early into their growth. Rewards are increasing over time as all the low hanging fruit and low risk issues are being resolved. Bug bounties are not a magic solution that cures all security issues, it's a process.
The amount paid for a reward is entirely up to the company and is generally in line with budgets and how the company reckon they will handle the influx of submissions and issues. It's basically simple budgeting that any company does before they try something new. For these old hands to demand better REWARDS based on exploit market rates is a bit naive in my opinion and doesn't demonstrate understanding of how bug bounty programs are actually handled/implemented within companies. There is room for this to change and improve over time.
If a company says they will pay X amount for X type of issues. They are letting you know as a researcher that they will reward you X amount for the amount of work required to find that issue. It's not like old times, bug bounties are a new model that companies are deciding to try that are more focused on results. You of course should always be grateful for your reward but no more so than you should be grateful for any payment you receive for doing work. Bug bounty participants I know, generally choose to focus on the programs they can see themselves earning or benefiting from. Using the responsible disclosure policies as a means of deciding where to spend their time. If you don't think the rewards suit your own expectations, you choose another program and focus on that, it's quite simple. I know plenty of researchers who would be willing to search for $1500 bugs because they add up when you find a lot of them.
Hot: Pick your own target bug bounty program based on a combination of advertised rewards, scope or feedback from the community.
Not: Pick your target bug bounty based on how high the company is ranked on a Fortune 500 list and expect high rewards, publicly slating the company if they don't meet your own standards or expectations. Also complaining when a company you are already doing research for in your own time, doesn't pay for it.
Hot: Submit your reports providing clear reproduction steps with help or explanations, especially if requested by the team handling the issue.
Not: Submit your reports with bare minimal information, assuming the engineers are going to re-find the issue. Then asking for updates on a regular basis, hourly, daily or weekly until you get a response that essentially says "the issue is being handled but is less of a priority than other issues".
Hot: Patiently waiting for the issue to be resolved and getting rewarded what was set out by the program disclosure policy.
Not: Ranting about the company publicly until they are forced or rushed to push through your issue or doing the same when you don't get a reward as high as some completely unrelated other companies bounty program.
Hot:Public disclosure is and always has been the fastest way to get issues patched, you won't get a reward for it as you broke the responsible disclosure policy, severe issues do mostly get patched quicker this way however, sometimes.
Not: Testing a company site you were not given permission to without agreeing first to the disclosure policy. Public disclosure is generally not ok when the target is not a product you were sold or can use for free. Blackmail is a criminal offense.
Hot: Highlighting the shortcomings of a company responsible disclosure policy and helping the company to develop, improve it or simply raising concerns with a program when they do not stick to their own policy. Let the bounty community know when a public program is being blatantly false, exercising fairness on behalf of the company, giving them the benefit of the doubt.
Not: Highlighting the shortcomings of a bug bounty program publicly before you have taken part in it or before you have given the company time to answer your queries.
Hot: Openly sharing your best reports where possible, advising the program to highlight expected rewards for particular types of issues. This helps other researchers to see what they can expect from a program and how each individual bounty program generally operates.
Not: Whining or complaining publicly about a company without publicly sharing any of the actual details of the report or vulnerability.
Hot: Honesty, respect and patience. Always.
Not: Being a little millennial bollocks who feels entitled to everything and expects the world to bend to your comfort and benefit.
I feel that sometimes the worst things about infosec can shine through in the bug bounty community. We often have Older, skilled and talented top security folk that most young students or researchers like myself look up to and respect, being very critical of this fairly new territory. This can negatively affect the behaviour of young participants or dissuade people from taking part before they know how they work. I can definitely see the benefit of bug bounties, They are a great additional measure for fire-fighting security issues that any company can take, they are as good if not better and cheaper than penetration testing or security scanners in very different ways, they are a good additional measure. Companies should look at how it could work for them with guidance from the platforms or instead cautiously wander into the area on their own.
These are all my own opinions and not fully thought through, I wrote this in about a half hour so expect me to be naive in areas. I partially make a living from bug bounties, so it's completely understandable why I want them to succeed. There is a fragility to how bug bounties are perceived in the business world, that we as a community must ensure we work towards overcoming. This way more organisations may decide to take part. They do work and are going to work if we all try to make it work. All it requires, is for us not being a bunch of hacker assholes who no company wants to deal with.