Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
indianmouse 3 days ago

This is exactly how bug bounty hunters are being exploited for.

Though it is on the good side about disclosure, calculate how much financial, reputation impact, negative publicity would cost the company and settle for a fair price and not a measly sum of 1k EUR.

It is a huge red flag to keep it under the radar if they think the impact is going to be high. I'm sure it is high and that's the reason they want to keep it undisclosed while they silently patch it.

One question: Was the discovery part of a bug bounty program? Or you stumbled upon it without any actual request? I'm trying to see the legal angle that might get down played there if you do not have the authorization to look at it.

Being ethical is the only advantage I see if that is the case. Else, you should negotiate and demand a fair price and go for a public disclosure which will cause more harm than good for them.

Everything has a price. Nothing in this world is free. Contact some good lawyer.

Don't ever sign an NDA without vetting it out with a good lawyer. Fine prints matter a lot.

As some of the fellow HNs mentioned, they will probably be looking at a huge impact and the reason for the NDA and a low sum as a token appreciation. They think they can buy their way being a corporate, any my advice would be to talk to some lawyers or contact a non-profit to help sort things out.

Probably you could donate a % to them if you get a good amount.

Hope you get what you deserve.

deep_thinker26 3 days ago | parent [-]

Thanks for the thoughtful reply — really appreciate it.

I actually stumbled upon the vulnerability without any prior request. They don’t have an active bug bounty program, and the Head of IT Security I’m in touch with mentioned they don’t have dedicated funds for security researchers — which is hard to believe for a company with a £200M+ market cap.

I’ll definitely dig a bit deeper into the legal side.

Based on all the suggestions here, I’m leaning toward quoting them a fair amount considering the impact. If they don’t agree, I’ll likely reject the NDA and do a public write-up after a reasonable disclosure window.

One thing I forgot to mention earlier as of today — the vulnerability is fixed (I reported it around 3 weeks ago), not sure if that changes anything leverage wise.