I reported 10 valid bugs including SQL Injection and account takeover to a company running a public bug bounty program. Initially, they acknowledged the reports and later fixed all the issues. But instead of rewarding or crediting me, they gave excuses and rejected them. Shortly after, they shut down their bug bounty program entirely.
There’s no official body to protect bug hunters in such cases.
If there is someone who can help me with this situation, please reply.
Unfortunately, this will happen. The best you can do is keep all of those cases in your portfolio to show your expertise to others and move on.
Do not get discouraged as they are the one missing out.
Keep on the great work and you will be rewarded in the future by someone else who will recognize and appreciate your hard work.
Can’t you sue them for this? They would probably settle I imagine..
Hi @userx - just checking in. Did you find any resolution? We have resources on handling these situations at https://disclose.io/resources. Happy to connect you with community members who have navigated similar issues.
That page is not available.
Sorry about that broken link, @userx — we’ve updated our site and that page no longer exists. Here are some things that might help with your situation:
Unfortunately there’s no formal enforcement body for bug bounty disputes, but having a paper trail matters. Let us know if you need anything else.