| ▲ | KolmogorovComp 6 hours ago | |||||||
Unfortunately this isn't all black-and-white. There are some bug bounty where the company is very eager not to pay any bounty, aggressively marking vulnerabilities as out-of-scope or working-as-intended. In those case you already lose time, but in the future you would also lose money. Unfortunately you don't know how a company will react before submitting, especially if it's a small one. | ||||||||
| ▲ | malfist 5 hours ago | parent | next [-] | |||||||
It already doesn't stand on face value. These people are spending money to open PRs via their token costs | ||||||||
| ||||||||
| ▲ | Kwpolska 5 hours ago | parent | prev [-] | |||||||
I think it would be fair to distinguish "reasonable report, but not actually a vulnerability" (where you get the submission fee back) and "slop" (where you don’t). | ||||||||