Bug bounty programs that are "scammy" or unethical can sometimes involve promising rewards to researchers for identifying security flaws, but either delay payments, don't pay at all, or misuse the disclosed vulnerabilities.
Signs of a Potentially Scammy Bug Bounty Program:
- Unclear Terms and Conditions: Programs that don't clearly specify what vulnerabilities qualify for rewards or the amount of the reward.
- No Transparent Payment Structure: Lack of details about payment timelines, payout methods, or cases where people report not getting paid.
- Little to No Community Feedback: Lack of reputation or negative reviews from the infosec community.
Hits: # of reports of being scammy
| Program Name | Issues Reported | Platform | Source | Hits |
|---|---|---|---|---|
| Standard.com | No rewards1 | Self hosted | Trusted hacker | 1 |
| H&M | No rewards1 | Self hosted | Trusted hacker | 2 |
| Celonis | Ignored reports2 | Self hosted | Trusted hacker | 1 |
| TataPlay | Automated Response, then no response | Self hosted | Trusted Hacker | 1 |
| Synack | Reward Gatekeepers10 | Self hosted | Trusted Hacker | 1 |
| Zeiss | Ignored reports2 | Self hosted | Trusted hacker | 1 |
| Alefed | No impact but fixed3 | Self hosted+YesWeHack | Trusted hacker | 1 |
| Cex.io | Failed to pay4 | Self hosted | Trusted hacker | 1 |
| Roche | Patch & Pass5 Duplicate Disguise7 Duplicate Mirage8 Smokescreen Smackdown12 |
Self hosted | Trusted Hacker | 2 |
| Zopa | Scope Surprise!9 | Self hosted | Trusted hacker | 1 |
| Atos | Bounty Roulette11 | Self hosted | Trusted hacker | 1 |
| LuminPDF | No impact but fixed3 | Self hosted | Trusted hacker | 1 |
| ItsLearning | Fixed and Ignored Reports2 | Self hosted | Trusted Hacker | 1 |
| Resortdata | Fixed and Ignored Reports2 | Self hosted | Trusted Hacker | 1 |
| Scalr | No impact but fixed3 | Self hosted | Trusted Hacker | 1 |
| Zynga | Fixed and Ignored Reports2 | Self hosted | Trusted Hacker | 1 |
- 1No rewards: They promise rewards for reports in their program, but fail to pay them. Sometimes they just say they stopped paying rewards or they can't do it anymore.
- 2Ignored reports: They never replied back to researcher. Never > 2 months and counting.
- 3No impact but fixed: Bug triaged as CVSS 0, no impact or similar but fixed anyways.
- 4Failed to pay: Agreed to pay a bounty but never accomplished it. Often ignoring follow-up emails.
- 5Patch & Pass: They fix reported bugs but mark them as Out of scope.
- 6P1 or You're Out: They won't invite you to their private program unless you report a P1/High bug.
- 7Duplicate Disguise: They mark reports as duplicated when they are very unlikely to be reported before.
- 8Duplicate Mirage: They mark all (future) reports as dups without having the full list of domains.
- 9Scope Surprise!: They define their Inscope and Outscope after you send the report, they dont write down in their program brief.
- 10Reward Gatekeepers: They will pay a reward only if you have an account in their site (which might very difficult to get).
- 11Bounty Roulette: Not clear if they pay bounties or not
- 12Smokescreen Smackdown: When a company tries to damage the reputation of a reporter.
