I've finally decided that I'm now only going to do disclosures via bug bounties. It's not a decision I have taken lightly, but one that I've ultimately ended up on and unfortunately it's not great news why I've ended up in this position.
So I initially planned on trying to be the nice guy and try avoid any financial gains for my disclosures. I wanted to help make the online community a safer place. Help companies in any way I could, to help them resolve any security issues which I stumbled upon. Instead I've been met with what can only be termed frustration and disappointment.
Over the course of the past year I've found around 5 issues (some still to be disclosed, others which I have not disclosed at all other than to the vendor). Anyone hazard a guess how many thank you's I've received as a result? ZERO! Worse yet, I received no feedback as to whether the issue was resolved or not (it either was not or silently resolved). And many of these have been with large organizations.
Move to Bug Bounties
In the past I blogged about how companies should do their fair share to responsible disclosures. At the time I hoped that things would improve, but unfortunately that has not been the case. In fact there have been several cases where researchers who have tried to do the right thing have either had the police called on them, or have a lawsuit filed against them. Now I'm sure that there are companies out there who would welcome these responsible security disclosures, but I've yet to come across any. Most frustrating of all, I'm doing all of this with my own time, with my own resources at my own expense.
So given the past experiences and incidents of researchers being hounded, I've decided to instead use a platform which would at least protect me legally, as well as gain some financial reward for the time and effort I spend of finding the issue, investigating it, reporting it and finally helping resolve it.
I would have really loved to continue to do this off my own back, entirely voluntarily however it simply was not working out. The good news is that I have other things planned where I'm hoping to give back to the community entirely voluntarily.