Variant of ID 8: Acquisition

hakluke / bug-bounty-standards

A list of edge cases that occur in bug bounty programs, conversations on how they should be handled. The goal is to standardise the way that specific situations are handled in bug bounties.

223 stars 10 forks source link

Variant of ID 8: Acquisition #2

Closed jhaddix closed 10 months ago

jhaddix commented 2 years ago

Hacker submits a bug to a program that has an open scope brief. The bug is on an acquisition. The program owner does not control the IT infrastructure or staff of the acquisition.

Resolution: The program owner should make a good faith effort, verified by the platform, to inform the acquisition. Should the acquisition benefit from the submission, the program owner should pay the bounty. The brief should be updated to reflect if acquisition(s) are in scope.

hakluke commented 2 years ago

Totally agree! I think maybe a good action item for platforms would be to have a visible binary switch on programs. Are acquisitions in scope Y/N. Do you think that would solve it?

hakluke commented 2 years ago

Added