Keeping track of how companies respond to bug reports

No offense will be taken if this thread gets deleted.This data is now being stored in a google spreadsheet https://docs.google.com/spreadsheets/d/1ovzdpsEjGTplUC2kaUaMZcXRJzaM9FmnMX5NGXl0cyo/edit?usp=sharing. The purpose of this thread is to track how companies with or without bounty programs respond to bug reports, how long it takes them to respond, what type of response they give, what type of bugs they don’t want, and what areas they want focused on the most. Some programs will say they want a certain bug, but when you report it, they say they don’t want that type of bug.

1 Like

What no one wants to see on this thread are vulnerabilities in sites that aren’t patched and you aren’t supposed to talk about them. This is an attempt in generalizing and if the bounty has rules where you can’t talk about it at all, then please don’t write about it here.

[quote=“planetzuda, post:2, topic:160, full:true”]
What no one wants to see on this thread are vulnerabilities in sites that aren’t patched and you aren’t supposed to talk about them. [/quote]

Yeah, that’s basically the main rule regarding bounty programs. For now, we’re asking that people not post program/company specifics about vulnerabilities they’re working on or they’ve reported, unless otherwise cleared with the company/program you’re working with. Generally speaking, please follow any bounty program rules for those companies that you’re working with :smile:

Nice thread to have it started. I share my experience with Yandex bug bounty program.

Yandex bounty program is well-known, and perhaps one of the first russian companies to start a bug bounty program.

Last Year, I have reported a vulnerability to Yandex including a video screenshot. 2 weeks later, they contacted me saying that they are not able to reproduce it, and asked me to test the issue against .ru domain. After I checked this day, I have found that the issue has been fixed. I have contacted them, and declined they have made any changes.

Then I started searching for researcher’s opinion about Yandex bug bounty program, and I found that a researcher named Rafay Baloch posted a blog post talking about his experience with the program. Yandex response to a researcher named George Noseevich in the post was the same response to me.

I am not encouraging/discouraging anyone from participating in Yandex bounty program, I am just sharing my experience with it.

Best,

Our experience with Yandex has been similar to yours. Another bug bounty that was discontinued late last year is giftcards.com. We found a bug in 2013 and they said they were going to fix it in December of 2013. The issue still hasn’t been fixed. It has a CVSS score of 7.1. They closed their bounty program in December of 2014, because they got too many bug reports. The bug we found isn’t one we write about, but report a lot. My company doesn’t write about a lot of stuff.

1 Like

Template Monster apparently has their marketing team vet bug reports or at least reply to those who reported it. They aren’t interested in bug reports or at least not the report we sent in. Update: they said they weren’t going to fix a bug, but they did anyways…

I have a good amount of this on my blog: http://randywestergren.com/

Some pretty high profile companies have responded very well. Verizon even has a formal process now: http://www.verizon.com/info/reportsecurityissue/?c=1

@rwestergren, it’d be nice if you could put a list of how companies responded l on this thread. Your site is nice, but it takes time to go through all of your findings to see which company responded well and which didn’t.

Wall Street Journal does not want help with their security and are hard to contact.

GoDaddy responds well, that is if you contact the security department. MailPoet, a plugin for WordPress responds well and has an unofficial bounty http://www.mailpoet.com/contact/. Magento responds well, that is if you are able to explain really well what the impact of the bug is. If you just give Magento the reproduction steps they may say it isn’t a problem. You have to really explain how it is dangerous.

@planetzuda, I really don’t think an ongoing thread is a good place for this data. Maybe a spreadsheet, or something Bugcrowd could handle, i.e. experiences contacting companies, successful contact methods used, comments etc.

1 Like

@rwestergren Maybe someone could create a Google Spreadsheet or something? Someone could create it, then create a new thread with the link to the doc at the top? Or something?

1 Like

@SamHouston Okay, done and edited the first post. I’ll be porting everything over. https://docs.google.com/spreadsheets/d/1ovzdpsEjGTplUC2kaUaMZcXRJzaM9FmnMX5NGXl0cyo/edit?usp=sharing

1 Like

My experience with Yandex is bad as well. Reported a valid vulnerability last september (2014) fixed now and still waiting for the payment which doesn’t go through even though my bank details are correct (they don’t use Paypal).