zlacker

[parent] [thread] 7 comments
1. jamess+(OP)[view] [source] 2025-06-24 18:51:04
Their success rates on HackerOne seem widely varying.

  22/24 (Valid / Closed) for Walt Disney

  3/43 (Valid / Closed) for AT&T
replies(2): >>thauma+F >>pclmul+mi
2. thauma+F[view] [source] 2025-06-24 18:53:56
>>jamess+(OP)
> Their success rate on HackerOne seems widely varying.

Some of that is likely down to company policies; Snapchat's policy, for example, is that nothing is ever marked invalid.

replies(1): >>jamess+H1
◧◩
3. jamess+H1[view] [source] [discussion] 2025-06-24 18:57:53
>>thauma+F
Yes, I'm sure anyone with more HackerOne experience can give specifics on the companies' policies. For now, those are the most objective measures of quality we have on the reports.
replies(1): >>moyix+j4
◧◩◪
4. moyix+j4[view] [source] [discussion] 2025-06-24 19:09:24
>>jamess+H1
This is discussed in the post – many came down to individual programs' policies e.g. not accepting the vulnerability if it was in a 3rd party product they used (but still hosted by them), duplicates (another researcher reported the same vuln at the same time; not really any way to avoid this), or not accepting some classes of vuln like cache poisoning.
5. pclmul+mi[view] [source] 2025-06-24 20:27:38
>>jamess+(OP)
Walt Disney doesn't pay bug bounties. AT&T's bounties go up to $5k, which is decent but still not much. It's possible that the market for bugs is efficient.
replies(1): >>monste+cA
◧◩
6. monste+cA[view] [source] [discussion] 2025-06-24 22:36:10
>>pclmul+mi
Walt Disney's program covers substantially more surface area, there's 6? publicly traded companies listed there. In addition to covering far fewer domains & apps, AT&T's conditions and exclusions disqualify a lot more.

The market for bounties is a circus, breadcrumbs for free work from people trying to 'make it'. It can safely be analogized to the classic trope of those wanting to work in games getting paid fractional market rates for absurd amounts of QA effort. The number of CVSS vulns with a score above 8 that have floated across the front page of HN in the past year without anyone getting paid tells you that much.

replies(1): >>ackbar+II1
◧◩◪
7. ackbar+II1[view] [source] [discussion] 2025-06-25 11:43:28
>>monste+cA
> The market for bounties is a circus, breadcrumbs for free work from people trying to 'make it'. > The number of CVSS vulns with a score above 8 that have floated across the front page of HN in the past year without anyone getting paid tells you that much.

You make it sound like there's a ton of people going around who can just dig up CVSS vulns above 8 and is making me all confused. Is that really happening? I have a single bounty on H1 just to show I could do it, and that still took ages and was a shitty bug.

replies(1): >>monste+xt2
◧◩◪◨
8. monste+xt2[view] [source] [discussion] 2025-06-25 16:22:44
>>ackbar+II1
The weighted average is 7.6. Finding them doesn't necessarily take much effort if you know what to look for.
[go to top]