Dear fellow hackers,
a question came in mind which I am not sure I’ve read an answer to before. It’s about Bug Crowd and other Bounty websites alike.
If I find a vulnerability in a target which is valid and can be exploited for malicious purposes, but the bounty lists it as out of scope, do I have the right to publicly disclose it (let’s say in my blog) as a 0day? What if I fist report it and they mark it as “won’t fix” / “out of scope” (since it truly is out of scope)? Do I then have the right to report it?
This is a question that has been asked before in the forums yet it got no replies. With the current state of things, chances are you won’t get paid or receive Kudos points and you may even lose reputation / points like the researcher above.
I will try to limit this topic to this specific situation and not broad it with questions like “What should be in scope?” or “Should everything be in scope?”.
What do you fellow researchers think about that?
P.S.: Yes, I’m asking this because it just happened to me…