Isn’t it bad behavior when a bug is flagged won’t fix and then the company fixes it without a reward?
–> Yes, though sometimes it isn’t a matter of the issue being intentionally fixed later, but the developers changing something else in the application that happens to remove the issue. A regression that results in a security fix as it were. In which case it can’t hurt to send email and ask about your bug report.
Isn’t it bad behavior to remove a file after a researcher spent hours upon hours doing research, so you can save money?
–> It is definitely not promoting a healthy partnership with the security researchers that submit bugs to the program to patch bugs before the full repro/report is complete. Researchers submit bugs to bounty programs as quickly as possible so they are first to report but also because the goal is to secure customers quickly. Sometimes a researcher will have a moderate bug that they are still working on POC code to exploit at a more critical level. If they have communicated this to the customer and the customer doesn’t give them reasonable time to finish their POC, that is creating ill-will with the researcher. On the other hand… what is reasonable? Highly motivated customers want to fix bugs as quickly as possible, so asking them to leave a vulnerability un-patched for an indeterminate amount of time so the researcher can continue POC exploit development isn’t reasonable either. So I guess the answer here for both sides is try to work together and do the right thing. And if you’re on one of Bugcrowd’s customer programs, we’ll help where we can in facilitating that communication.
Isn’t it bad behavior to flag something as invalid when it is clearly defined in-scope and can be used against your company?
–> In scope security vulnerabilities are in scope. If the scope is not defined precisely enough, that is not the researcher’s fault, they worked in good faith. We encourage customers to reward if a valid in scope bug is reported that results in code change, and if necessary, then update their brief to more explicitly include or exclude those sorts of issues in the future.
tl;dr - YES! Neither side of the offense/defense equation is always perfectly behaved. Researchers that submit low impact bugs/best practices and then hound the customer for hall of fame credit exist, while companies that don’t treat researchers respectfully are going to have a failing program, where the best researchers refuse to work with them.
This is why my job is all about building bridges and seeking balance.