Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard


Most of my life I’ve been frustrated/intrigued that my Dad was constantly upset that he would “do the right thing” by people and in return people wouldn’t show him gratitude… up to straight up fucking him over in return. Over and over the same cycle would repeat of him doing right by someone only to have that person not reciprocate.

The above is important as it relates to the rest of the post and topic(s).

I was relaying some frustrations to a close non-infosec friend about my experience of discovering  companies had made some fairly serious Internet security uh ohs… like misconfigured s3 buckets full of db backups and creds, root AWS keys checked into github, or slack tokens checked into github/pastebin that would give companies a “REALLY bad day”.  These companies had been receptive to the reporting and fixed the problem but did NOT have bug bounty programs and thus did not pay a bounty for the reporting of the issue.

My friend, with some great insight and observation, suggested that I was getting frustrated and doing exactly the same thing my Dad was doing by having assumptions on how other people should behave.

So this blog post is an attempt for me to work thru some of these issues and have a discussion about the topics.

Questions I don’t necessarily have answers for:

1. Does a vulnerability I wasn’t asked to find have value?

2. If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?

3a. If #1 or #2 is Yes, when a business doesn’t have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something?  If they have a BB program I think most people agree yes. But what about when they don’t?

3b. Does the size of the business make a difference? If so, what level?  mom and pop maybe not, VC funded startup?  30 billion dollar Hedge Fund?

4. Is a “Thanks Bro!” enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs….”f**k you pay me” seems to be the current attitude. If they did a public “Thanks Bro” does that make a difference/satisfy my ego?

5a. Is “making the Internet safer” enough of a reward?

5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Does a company leaking their OWN data make the Internet less safe? [It’s good for their competitors]

If they get ransomeware’d or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn’t report it?

6. Does ignoring a pretty signifiant issue for a company make me a “bad person”?

7a. Am I a “bad person” if I want $$$ for reporting the issue?

7b. If yes, is that because I make $X and I’m being a greedy bastard? What if I made way less money?

7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a “bad person”? numbers 1-3 come into play here for sure

My last two jobs, I’ve worked for companies that had Bug Bounty programs so my opinion on the above is DEFINITELY shaped by working for companies that  get it understand and care about their security posture and do feel that reporting security issues by outside researchers has monetary value. An added benefit to have a program, especially through one of the BB vendors, is that you get to NDA the researchers and you get to control disclosure.

Thoughts/comments VERY welcome on this one.  Leaving comments seems out of style now but I do have open DM on twitter if you want to go that route.  I have a few real world experiences with this where I let some companies know some pretty serious stuff (slack token with access to corp slack, S3 buckets with creds/db backups, and root aws keys checked into github for weeks) where it was fixed with no drama but no bounty paid.


This is a Security Bloggers Network syndicated blog post authored by CG. Read the original post at: Carnal0wnage & Attack Research Blog