Bug Bounty and Responsible Disclosure

By Davy Rogers

Found a bug in someone's app? Report it ethically. Run a programme? Make it easy to.

Finding a vulnerability in someone else's system puts you at a fork. Handled well, responsible disclosure protects users, builds your reputation, and sometimes pays. Handled badly, the same finding gets you banned or sued. The core idea is simple: report the bug to the people who can fix it, and give them a fair window to do so before anything goes public. This lesson covers both sides of that, because most engineers end up on both: finding bugs in others' software, and receiving reports about their own.

Choosing how to disclose

ApproachWhen it fits
PrivateThe default. Report, then wait.
CoordinatedThe vendor is slow; you set a deadline, commonly 90 days.
Full disclosureA last resort, after extended silence.
Bug bountyWhen the organisation runs a programme.

Finding who to tell

Look in the obvious places first: /.well-known/security.txt, a [email protected] address, a HackerOne or Bugcrowd page. If none exist, CERT/CC can coordinate on your behalf.

What "responsible" actually means

The ethics here are concrete, not vague. Stay on the right side of all of these:

  1. Discover within legal scope.
  2. Document with clear reproduction steps.
  3. Report through the preferred channel.
  4. Wait for acknowledgement.
  5. Don't exploit beyond what's needed to demonstrate the bug.
  6. Don't access real users' data.
  7. Don't disclose before the agreed timeline.

If you're chasing bounties

Read the scope before you touch anything. Testing outside it isn't a technicality, it can mean a ban or legal action. Rough bounty ranges, so you know what's at stake:

  • Critical: $5k to $100k or more
  • High: $1k to $15k
  • Medium: $500 to $5k
  • Low: $100 to $1k

A good report has a clear title, a one-line summary, a severity, reproduction steps, a proof-of-concept request and response, the real-world impact, and a suggested fix. The reports that get ignored share the same flaws: no reproduction steps, raw scanner output nobody verified, out-of-scope targets, excessive drama, and testing against real user data.

If you're the one receiving reports

Make it easy for a researcher to do the right thing, because the alternative is them going public or staying quiet while the bug sits open:

  1. Publish a /.well-known/security.txt.
  2. Write a disclosure policy that states the scope and offers safe harbour.
  3. Set up a secure channel to receive reports.
  4. Acknowledge within a day, triage within three.

That safe harbour clause matters more than it looks: "We will not pursue legal action against good-faith researchers" is what turns a nervous finder into a cooperative one. Respect scope when you're testing, and offer scope and safe harbour when you're the one being tested.