Skip to content

Latest commit

 

History

History
56 lines (45 loc) · 5.2 KB

README.md

File metadata and controls

56 lines (45 loc) · 5.2 KB

scammy-bbp

Bug bounty programs that are "scammy" or unethical can sometimes involve promising rewards to researchers for identifying security flaws, but either delay payments, don't pay at all, or misuse the disclosed vulnerabilities.

Signs of a Potentially Scammy Bug Bounty Program:

  • Unclear Terms and Conditions: Programs that don't clearly specify what vulnerabilities qualify for rewards or the amount of the reward.
  • No Transparent Payment Structure: Lack of details about payment timelines, payout methods, or cases where people report not getting paid.
  • Little to No Community Feedback: Lack of reputation or negative reviews from the infosec community.

Hits: # of reports of being scammy

Program Name Issues Reported Platform Source Hits
Standard.com No rewards1 Self hosted Trusted hacker 1
H&M No rewards1 Self hosted Trusted hacker 2
Celonis Ignored reports2 Self hosted Trusted hacker 1
TataPlay Automated Response, then no response Self hosted Trusted Hacker 1
Synack Reward Gatekeepers10 Self hosted Trusted Hacker 1
Zeiss Ignored reports2 Self hosted Trusted hacker 1
Alefed No impact but fixed3 Self hosted+YesWeHack Trusted hacker 1
Cex.io Failed to pay4 Self hosted Trusted hacker 1
Roche Patch & Pass5
Duplicate Disguise7
Duplicate Mirage8
Smokescreen Smackdown12
Self hosted Trusted Hacker 2
Zopa Scope Surprise!9 Self hosted Trusted hacker 1
Atos Bounty Roulette11 Self hosted Trusted hacker 1
LuminPDF No impact but fixed3 Self hosted Trusted hacker 1
ItsLearning Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Resortdata Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Scalr No impact but fixed3 Self hosted Trusted Hacker 1
Zynga Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Microsoft Fixed and Ignored Reports2
Self hosted Trusted Hacker 2

Hackerone

The input for this section are public reports and writeups made by researchers.

Program Name Report Problems Discussion
Hackerone 2180521 CVSS magic #9
Zendesk URL Sacred Out of Scope #10

Details

  • 1No rewards: They promise rewards for reports in their program, but fail to pay them. Sometimes they just say they stopped paying rewards or they can't do it anymore.
  • 2Ignored reports: They never replied back to researcher. Never > 2 months and counting.
  • 3No impact but fixed: Bug triaged as CVSS 0, no impact or similar but fixed anyways.
  • 4Failed to pay: Agreed to pay a bounty but never accomplished it. Often ignoring follow-up emails.
  • 5Patch & Pass: They fix reported bugs but mark them as Out of scope.
  • 6P1 or You're Out: They won't invite you to their private program unless you report a P1/High bug.
  • 7Duplicate Disguise: They mark reports as duplicated when they are very unlikely to be reported before.
  • 8Duplicate Mirage: They mark all (future) reports as dups without having the full list of domains.
  • 9Scope Surprise!: They define their Inscope and Outscope after you send the report, they dont write down in their program brief.
  • 10Reward Gatekeepers: They will pay a reward only if you have an account in their site (which might very difficult to get).
  • 11Bounty Roulette: Not clear if they pay bounties or not
  • 12Smokescreen Smackdown: When a company tries to damage the reputation of a reporter.