Ask HN: How to respond to compensation request to reveal security vulnerability

Ask HN: How to respond to compensation request to reveal security vulnerability

2 by CSMastermind | 3 comments on Hacker News.

You're a small startup and someone claiming to be a bug bounty hunter cold reaches out to you to say they've discovered a critical security vulnerability on your website. They want to know if you have a bug bounty program and what type of reward they'll receive if they disclose it to you. Being a small startup, you don't have any formal program and cash is tight, but you want to take the report seriously if there is some critical vulnerability in your application. What's the right way to respond to this type of reach out?



Comments

Post a Comment

Popular posts from this blog

Intentional dark pattern by Coinbase or just terrible UI?

Intentional dark pattern by Coinbase or just terrible UI? 2 by jjeaff | 0 comments on Hacker News. I recently needed to check a past transfer to confirm that I was sending some crypto to the same wallet address. In the past, the last few transactions showed up on the "Pay" page. They have since renamed "Pay" to Transfers or something like that. They no longer show past transactions, so I went down a rabbit hole of searching through the app, couldn't find it, then had to google it and found a help page for Coinbase. There is a link in the article to coinbase.com/reports (I can find no way to get to it from the web app except by following the link from the help article.) Once there, you can select the date ranges you want and generate a transaction report in PDF or CSV and then you have to wait a bit while it generates the report for you to download. What kind of UI craziness is this? A user's transaction history is such a basic feature, I can't imagine c...
Read more