No More Free-ish Bugs

there's a fresh conversation happening at the moment about this is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thankyou listing, swag, or some other non-financial gesture of thanks - but doesn’t commit to this in advance) used to be very clear, but is now quite ambiguous.

So I’m the guy who sent the t-shirt out as a thank you.

By Ramses Martinez, Director, Yahoo Paranoids So, I am the guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been :) Here’s the story. When I first took over the team that works with the security commun…

Yahoo Developer Network

this is a combination of term confusion (which started around about here: https://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you... cc: @shin_ken1) and a sudden influx of participants who aren't having their expectations set correctly.

offering red bull as a gimmick or optional gesture of thanks in context of a vdp is appreciated, because participation in a vdp is completely voluntary and any “thanks” is a bonus

vs

substituting red bull for cash as an incentive and calling it a bug bounty program is not, because participation in a bbp is in exchange for the expectation of a reward, and a cash reward is expected.