HACKER Q&A
📣 jcuenod

Responsible Discolure Without Compensation


I recently discovered a security vulnerability on a SaaS that my university uses. They do not have a bug bounty program (I asked) and, reasonably enough, they want me to responsibly disclose it.

I am not going to do anything malicious with the vulnerability and I will responsibly disclose it. However, I am in a humanities PhD with very low earning potential after I graduate and, right now, I have no real income as a student (apart from minimum wage on campus employment).

Is it just me or is it unreasonable for a SaaS to expect responsible disclosure without compensating me?

  👤 ganoushoreilly Accepted Answer ✓
It's not unreasonable as there was no contract or established program. You did the work without any defined outcome guaranteed.

I would take this disclosure (depending on what it is and how it impacts) and use it to market yourself and further your industry credibility.

If it's a big impact I think some sort of bounty is great, but you can use it as a pivot point to encourage them to build a program.

👤 CaptainJustin
From their perspective it might feel a bit like a hostage situation: "I found a way into your house. How much you going to pay me tell you how?"

From your perspective I would imagine that exploring the vulnerability, packaging and capturing the steps-to-reproduce are all work. Work should be paid for.

In summary, I don't think they can make demands of your time and effort by requiring you to package and share. But don't let it sound like a you have anything they have a right to or that you're holding anything hostage.

👤 stevenalowe
Offer a write up/video (concrete deliverable) for a fixed price to compensate you for your time and expertise with a money back guarantee if it can’t be replicated and sign an NDA to not disclose to anyone else for several years. Ask for the $ you want and accept anything reasonable. Sign an NDA first to establish trust - make it clear you have no ill intentions