Before Spending your time on Responsible Disclosure Programs
I find a program having responsible disclosure policy and after selecting I spend my time and effort on searching for vulnerabilities and reported them But they aren’t even replying to my mail. Have you ever experienced such problem?
This is most useful for beginners, since most are looking for companies having responsible disclosure programs so that it’s not much hard to find a vulnerable part when comparing with a program on platforms like Hackerone, Bugcrowd, Intigriti, etc. Because you know in these platforms there are a ton of awesome hackers and the competition is comparatively high. New hackers take time to get a private invitation from there.
For those who don’t know about Responsible disclosure programs
There are many companies who also need to make a secure environment for their customers. Somehow they might not be able to invest much money into that, so they can’t afford public bug bounty platforms and so they will conduct their own responsible disclosure programs. If a company having responsible disclosure program you can find it easily by googling “company.com responsible disclosure” so you will find they some of them will pay you bounties, some give swags and some Hall Of Fames. In the page there they will show you how to report a problem and what are the rewards etc.
The difference between Public bug bounty platforms and Responsible disclosure programs is that: We are sure that we will get an update after a time and can see every updates regarding the report on the submissions page of Bug bounty Platforms, but in most case of responsible disclosure programs is that we are sending them a mail having our report and we don’t sure they will reply us ( most of them will give you responses ). That’s a problem actually. If you find a critical bug by taking much effort and after reporting no response? What ??? what can we do.
Personally I come across many site’s having responsible disclosure program are not responding to vulnerability reports. It’s demotivating for me.
So now I follow this
- Find the responsible disclosure programs
- Find too easy bugs such as missing headers, SPF etc.
- Report them
- Find another program and do the same
- If they respond to my report, I know they are good and then I invest my time on that program and try to find good bugs.
- If they aren’t responding after a while then won’t look into that program any more. Why should we invest sell our time and effort to someone who don’t care about that.
Here 99% of programs won’t accept SPF and such things, but in my case it helped me to understand responding programs and the others. We need to make sure they value us.
Better thing is to find bugs on bug bounty platforms, but for my case I thought it will be better if I practice and learn more with responsible disclosure programs and then move into those platform so that we can find good bugs.
I hope this help atleast one person. Thank you for reading this
Ping me on twitter : iam_j0ker