Ask HN: How to price a responsibly-disclosed bug bounty?

4 points by seancoleman 5 years ago | 1 comment

I'm consulting with a small, bootstrapped company, and a security researcher responsibly disclosed an extremely serious issue that leaked root database credentials. Based on the vulnerability, I doubt this researcher spent a ton of time discovering the exploit, but the value to the company is (obviously) tremendous.

I want to formally recommend a reward amount, but I know the company doesn't have much free cash. There is no bug bounty program in place. How do you go about thinking through pricing, especially for a non-BigCo? Thanks!

mtmail 5 years ago |

https://docs.hackerone.com/programs/bounty-tables.html

The large amounts you read about by big companies can hardly be matched my small companies. And rarely reflects the damage it could cause. Our maximum amount is US$1000 currently. We (https://opencagedata.com/security-bounty) get regular reports where high or critical severity is claimed but maybe that's only to get our attention. No report so far justified the full amount. We learned what is much appreciated is fast payout.

In https://blog.assetnote.io/2020/09/15/hacking-on-bug-bounties... you see 'full account takeover' listed as US$300 and 'Critical issues on [redacted] (database credentials, entire application source code leaked and SQLi)' at US$800.