No More Free-ish Bugs
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs.
This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you listing, swag, or some other non-financial gesture of thanks, but doesn't commit to this in advance) used to be very clear, but is now quite ambiguous.
So I'm the guy who sent the t-shirt out as a thank you.
By Ramses Martinez, Director, Yahoo Paranoids So, I am the guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been :) Here's the story. When I first took over the team that works with the security commun…
This is a combination of term confusion, which started around that Yahoo post, and a sudden influx of participants who aren't having their expectations set correctly.
- Offering Red Bull as a gimmick or optional gesture of thanks in the context of a VDP is appreciated, because participation in a VDP is completely voluntary, and any "thanks" is a bonus.
- Substituting Red Bull for cash as an incentive and calling it a bug bounty program is not, because participation in a BBP is in exchange for the expectation of a reward, and a cash reward is expected.
