Skip to content

Self-hosted bug bounty programs that are "scammy" or unethical

Notifications You must be signed in to change notification settings

pdelteil/scammy-bbp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 

Repository files navigation

scammy-bbp

Bug bounty programs that are "scammy" or unethical can sometimes involve promising rewards to researchers for identifying security flaws, but either delay payments, don't pay at all, or misuse the disclosed vulnerabilities.

Signs of a Potentially Scammy Bug Bounty Program:

  • Unclear Terms and Conditions: Programs that don't clearly specify what vulnerabilities qualify for rewards or the amount of the reward.
  • No Transparent Payment Structure: Lack of details about payment timelines, payout methods, or cases where people report not getting paid.
  • Little to No Community Feedback: Lack of reputation or negative reviews from the infosec community.

Hits: # of reports of being scammy

Program Name Issues Reported Platform Source Hits
Standard.com No rewards1 Self hosted Trusted hacker 1
H&M No rewards1 Self hosted Trusted hacker 2
Celonis Ignored reports2 Self hosted Trusted hacker 1
TataPlay Automated Response, then no response Self hosted Trusted Hacker 1
Synack Reward Gatekeepers10 Self hosted Trusted Hacker 1
Zeiss Ignored reports2 Self hosted Trusted hacker 1
Alefed No impact but fixed3 Self hosted+YesWeHack Trusted hacker 1
Cex.io Failed to pay4 Self hosted Trusted hacker 1
Roche Patch & Pass5
Duplicate Disguise7
Duplicate Mirage8
Smokescreen Smackdown12
Self hosted Trusted Hacker 2
Zopa Scope Surprise!9 Self hosted Trusted hacker 1
Atos Bounty Roulette11 Self hosted Trusted hacker 1
LuminPDF No impact but fixed3 Self hosted Trusted hacker 1
ItsLearning Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Resortdata Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Scalr No impact but fixed3 Self hosted Trusted Hacker 1
Zynga Fixed and Ignored Reports2 Self hosted Trusted Hacker 1
Microsoft Fixed and Ignored Reports2
Self hosted Trusted Hacker 2

Hackerone

The input for this section are public reports and writeups made by researchers.

Program Name Report Problems Discussion
Hackerone 2180521 CVSS magic #9
Zendesk URL Sacred Out of Scope #10

Details

  • 1No rewards: They promise rewards for reports in their program, but fail to pay them. Sometimes they just say they stopped paying rewards or they can't do it anymore.
  • 2Ignored reports: They never replied back to researcher. Never > 2 months and counting.
  • 3No impact but fixed: Bug triaged as CVSS 0, no impact or similar but fixed anyways.
  • 4Failed to pay: Agreed to pay a bounty but never accomplished it. Often ignoring follow-up emails.
  • 5Patch & Pass: They fix reported bugs but mark them as Out of scope.
  • 6P1 or You're Out: They won't invite you to their private program unless you report a P1/High bug.
  • 7Duplicate Disguise: They mark reports as duplicated when they are very unlikely to be reported before.
  • 8Duplicate Mirage: They mark all (future) reports as dups without having the full list of domains.
  • 9Scope Surprise!: They define their Inscope and Outscope after you send the report, they dont write down in their program brief.
  • 10Reward Gatekeepers: They will pay a reward only if you have an account in their site (which might very difficult to get).
  • 11Bounty Roulette: Not clear if they pay bounties or not
  • 12Smokescreen Smackdown: When a company tries to damage the reputation of a reporter.

About

Self-hosted bug bounty programs that are "scammy" or unethical

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •