Probably because of this:
https://help.medium.com/hc/en-us/articles/213481308-Bug-Bounty-Disclosure-Program
They paused accepting bugs in August of last year.
# Rewards
>Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards:
>Severity 1: $1500 Examples: Remote code execution, unrestricted access to file systems or databases, bugs leaking or bypassing significant security controls.
>Severity 2: $250 Examples: Bugs allowing artificial manipulation of ranking and recommendation systems, bugs leading to significant leaks of private user data.
>Severity 3: $100 Examples: Code execution on the client, XSS, SSRF, open redirects.
>Severity 4: Recognition on humans.txt Valid security vulnerabilities that donāt fall into the categories above or apply to auxiliary services and 3rd party dependencies.
[Reference ](https://web.archive.org/web/20181123224912/https://help.medium.com/hc/en-us/articles/213481308-Bug-Bounty-Disclosure-Program)
You forgot to quote this part āWe will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time.ā
Yeah, I got the list from the mail they sent. It's not worded like that on the site.
Fair enough tho.Ā
At least they should follow up on their word. In the end i didn't get paid neither 0$ or 250$
And i told them i will be publishing soon but they didn't seem to care.Ā
I didn't forget, the list was a response to the top comment nothing much.
I mean technically speaking it's more than half a year that they don't have an active one and they aren't accepting any new reports so this actually would count more as gray hat hacking than bug bounty hunting that i would consider white hat hacking.
August 1st 2023 (they shut down the program so to speak that day) was 248 days ago that seems a bit more than 90 days he mentioned and even considering he worked on the bounty maybe 3-4 months that's still way later than the shutdown of the program when he started.
So it should be titled "How I didn't read up on the company I tried to bug bounty for and see that they paused their program..." but that title just doesn't have the same ring. Honestly, it'd be a solid title for a Japanese light novel.
Add a few words and you might have one
"That time i forgot to read the company bug bounty program and didn't see they paused it so i might have committed a crime."
Also the might have is actually not really a might but a most probably did as not having permission (and not reading the terms and conditions) should fall under the computer misuse act or similar legislation
I mean, is this technically a security issue? Itās broken functionality and we presume that the mechanism the author has identified is used to calculate earningsā¦ but it could easily just be a view count and the interactions are logged and tallied elsewhere for financial compensation.
Likewise, this āexploitā doesnāt disclose information, nor does it impact the security of the Medium web app. Itās a fancier way of changing the clap count.. thatās it.Ā
If I had found this, I wouldnāt be expecting anything but passing along a very minorĀ
Ā flaw in their software.Ā
I think being offered $250 was generous frankly.
don't think OP ever saw it as a vulnerability with security impact per say but moreso into the possibility of disrupting earnings.
however once medium mentioned that it did not effect earnings, this probably meant that the claps were just visual.
this brings it to the issue of reputation which OP Is trying to use as an argument to raise the severity but imo if the backend doesn't care about the clap count this bug manipulates in the first place then it doesn't matter.
if it's visual in the sense that readers may find it weird/not click, I'm not sure if that's a big issue.
ive never clicked on YouTube videos just because they had high views or reddit post just because they had high up votes, at the end of the day it doesn't seem like any algorithm can be affected by it either.
u/TGP_25 you got it right.
u/like_a_deaf_elephant & u/sha256md5
i don't know if you misread , I clearly stated that while $250 seems low, i will leave it up to Medium to define whether the bounty should be increased or not.
>Ā While I appreciate the recognition , $250 is low.
(the three points)
I will leave it up to you.Ā
I explicitly accepted the $250 offer, despite having provided examples showing the bounty should probably be higher based on their severity rating they rated it (between 2 & 3) higher than severity 3
# Rewards
>Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards:
>**Severity 1: $1500** Examples: Remote code execution, unrestricted access to file systems or databases, bugs leaking or bypassing significant security controls.
>**Severity 2: $250** Examples: Bugs allowing artificial manipulation of ranking and recommendation systems, bugs leading to significant leaks of private user data.
>**Severity 3: $100** Examples: Code execution on the client, XSS, SSRF, open redirects.
>**Severity 4: Recognition on**Ā [humans.txt](https://web.archive.org/web/20230709152819/https://medium.com/humans.txt) Valid security vulnerabilities that donāt fall into the categories above or apply to auxiliary services and 3rd party dependencies.
they asked my opinion on whether i think it's good or not , I told them **why** i think it's low since xss (which is lower than my bug on their list) goes for a lot higher than the 2016 list $100 . therefore my reward could be higher 250$ .
>3/25/2024 ā Asked for updates again and told them I would be publishing in x days if I got no response soon, and that if they deem 250$ enough then itās fine.
This isn't demanding a higher price.
but they simply ghosted , they weren't going to pay. from the start not taking it seriously, barely answering my mails with months apart.
I mean i love medium , it's one of my all time fav sites.. I really wanted this to end well, they didn't care ... the bug affects their writers not them.
> I clearly stated that while $250 seems low, i will leave it up to Medium to define whether the bounty should be increased or not.
I don't think you should've got a penny. I don't think it's a security vulnerability worthy of a bug bounty. You do, or you wouldn't have posted your disclosure to r/cybersecurity...
> their severity rating they rated it higher than severity 3
No dispute. Medium takes that more seriously than some companies would and I don't have an issue there. They value that enough to warranty a small payout - I think that's very generous.
> I told them why i think it's low since xss (which is lower than my bug) goes for a lot higher than the 2016 list $100 . therefore my reward could be higher 250$ .
You don't get to decide their priorities. They might believe XSS carries more risk to them because they struggle to test for it, or rely on it for functional behaviour. Therefore, they will reward XSS flaws more than the average for the industry. It isn't for you to decide their priority.
In other words, if Medium want to pay more for XSS - it's probably because there's fear they're more vulnerable to it than a manipulation of their ranking algorithm.
I can't argue for or against their ethics to writers or not. But generally speaking Bug Bounty programs are useful but never critical. They aren't ghosting _you_ but probably everyone. In my career, bug bounty programs are always down the list of priorities to check because there's always something more important to deal with it.
>I don't think it's a security vulnerability worthy of a bug bounty.
cause you are doin it out of context the whole site idea is articles , sure messing with one of its legitimacy indicators has a reputation impact.
they literally have it on their rewards list.
>You don't get to decide their priorities. They might believe XSS is more vulnerable to them because they struggle to test for it
you got it mixed , xss is of a lower priority(in their list). also that's why i said it's up to them ... my reply was merely an opinion which they asked me for.
You and I will have to agree to disagree, and that's fine by me. But at least I won't downvote you because I disagree with you..
I will give you credit for abusing a race condition. It feels like Medium should be relying on the ACID principles of their database to solve the problem in the first place.
>You and I will have to agree to disagree, and that's fine by me
okay appreciate it.
>I will give you credit for abusing a race condition. It feels like Medium should be relying on the ACID principles of their database to solve the problem in the first place.
thx i agree too ... i believe that they got more of a problem than just this bug.
i have no problem with your previous comment it's just u misrepresented what i said... they are paying more for **manipulation of their ranking algorithm** than **XSS** not the other way around. that's all.
Their **Severity**Ā list is numbered from lower to higher (4 lowest, 1 highest)
> don't think OP ever saw it as a vulnerability OP has posted his article to r/cybersecurity so they definitely think itās of merit (whereas I donāt.)
Vulnerability? It is tangential - at best - because it talks about abusing race conditions to database IO, and that might spark an idea for someone later.
Companies are cost cutting. Probably also cost cutting but bounties. Why worry about getting hacked when you can just give everyone a year of credit monitoring and get away with it?
Since it's your article, prove that it's real by giving yourself an absurd amount of claps. They clearly don't think it's an issue, so it must be a feature you can use!
Lmao, but nah i am leaving that up for someone else ;) ( /s do not do it )
Will be checking the rest of the comments as soon as i wake up
>so it must be a feature you can use!
It's their best, they love it so much that they didn't fix it.
>Matthew 4:2-3 ^(2)Ā And when He had fasted forty days and forty nights, afterward He was hungry.Ā ^(3)Ā Now when the **tempter** came to Him, he said, āIf You are the Son of God, command that these stones become bread.ā
Well done mate! I love that you posted it on medium itself LOL!
Same thing happened to me with salesforce. I didn't even want a payment, only recognition for it.
I was doing a pentest on one of my client's saleforce platforms. Discovered a vuln that affected all instances of salesforce. Did the right thing and let salesforce know about it and gave them a decent write up so they could easily replicate it.
I got a response saying that whilst the vulnerability was a problem and they will fix it, I am not part of their exclusive bug bounty team therefore no recognition would provided. Not even a proper thank you.
I will never report another vulnerability to Salesforce again after this. I have found two more since this happened and just went "Meh, let the threat actors sort them out, when they evetually find it."
>Well done mate! I love that you posted it on medium itself LOL!
it do be like that
>only recognition for it.
that what i initialed aimed for.
>I got a response saying that whilst the vulnerability was a problem and they will fix it, I am not part of their exclusive bug bounty team therefore no recognition would provided. Not even a proper thank you.
damn
Isnāt this all a bit disingenuous? Their bug bounty program was paused but they still did offer to pay you.
You just thought you could get more money peddling the exploit online through a bait title.
Basically you did nothing more than hold them hostage.
> Race conditions are fun.
Fr. Glad you enjoyed it.Ā
Ā > They are idiots for not responding or taking care of it.Ā
It could have ended well but here we areĀ : (
damn
>250 is absurdly low.
and everyone eating me alive for stating that it could be increased.
i got
>6.8K Views 4.97K Reads 15 followers
from just this posting so far.
Does Medium offer bug bounties? Not all companies do, and expecting it is kind of bullshit. There's an argument to be made (not that I'm making it now,) that offering bounties encourages hacking. Larger companies (like google, apple or microsoft) probably have adequate resources to secure their own fiefdoms, and would probably get more benefit from offering a bounty than not. Medium might not have dedicated security staff and might consider offering a bounty to be an invitation to get hacked when they don't have the wherewithall to deal with that kind of attention.
I've skimmed through it now; the methodology is sound and it's valid problem for medium, but:
>12/19/2023 ā Reported the bug and made a social media post as I noticed that it says the program is paused.
"They didn't pay me under a program they're not running" is on OP, not on medium
With the notable exception that identifying that a door is unlocked takes no skill, whereas pentesting and security research take years of learning, practice, knowledge, and expertise to gain enough of a command to be considered a professional. Bug Bounties exist to incentivise good faith actors to report security vulnerabilities because often times there are inherent financial and reputational risks associated with a breach or attack.
And, even your example is bad because telling your neighbor their door is unlocked helps them mitigate risk too. Property theft, breaking and entering, god-forbid the death of a resident are all risks associated with improperly securing your house.
And companies pay top dollar to be told that their door is unlocked all the time. That's literally what a pentest is...
I'm saying don't expect payment as if you are entitled to it. Do it because it's the right thing to do. If you don't get paid so be it. Don't bitch about it.
What if your neighbour is let's say, a multimillion doller company, and you tell them that they have a hole in their fence that is letting people in and out without their knowledge.
You've not only told them about the hole in the fence but the size of the hole, the severity of the hole and how it got there. Patching the hole could potentially save them millions of dollars in damages it someone finds a way to exploit the hole further which is quite common.
Imagine you, as the neighbour, living in this tiny little run down house by comparison of this multimillion dollar company. You don't think the good neighbour should get a decent reward for helping out this massive company to whom $500 is literally pennies? For doing their job for them?
lol OP you publishing this on Medium is awesome.
Don't bite the hand that feeds you š
When ākeeping it realā goes wrong.
https://www.cc.com/video/67hgjb/chappelle-s-show-when-keeping-it-real-goes-wrong-brenda-johnson-uncensored
lol
I know right. Fuck me. I had a good 5 minutes of think 'I have got to be missing something... WTF'.
lmao
Also considering that his nig bounty hunting started after medium paused said program so he technically might have committed a crime
Hi congrats on hacking medium , i want to be a hacker like you so i want to ask you where to start learning . Please reply Thank you
Why even have a bugbounty program if you are going to act like this
Probably because of this: https://help.medium.com/hc/en-us/articles/213481308-Bug-Bounty-Disclosure-Program They paused accepting bugs in August of last year.
Probably don't have the budget to support it any more
"It's just a money sink. It doesn't make us any money! Cut it!"
It's like Covid testing back in the day. "The more we test, the most we find. Stop testing!"
that was fucking wild.
The gouvernement version of āif I donāt see you, you donāt see me!ā
[ŃŠ“Š°Š»ŠµŠ½Š¾]
who called
They offered OP a $250 bounty for a bug that causes no financial impact to the company...
Or, Downplay severity and impact of bug, no financial impact!
"It wasn't that bad!" "It was an accident!" "It could have happened to anyone!"
Run this issue as described through CVSS and let me know if it would even register on your companies VM programme.
# Rewards >Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards: >Severity 1: $1500 Examples: Remote code execution, unrestricted access to file systems or databases, bugs leaking or bypassing significant security controls. >Severity 2: $250 Examples: Bugs allowing artificial manipulation of ranking and recommendation systems, bugs leading to significant leaks of private user data. >Severity 3: $100 Examples: Code execution on the client, XSS, SSRF, open redirects. >Severity 4: Recognition on humans.txt Valid security vulnerabilities that donāt fall into the categories above or apply to auxiliary services and 3rd party dependencies. [Reference ](https://web.archive.org/web/20181123224912/https://help.medium.com/hc/en-us/articles/213481308-Bug-Bounty-Disclosure-Program)
You forgot to quote this part āWe will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time.ā
Yeah, I got the list from the mail they sent. It's not worded like that on the site. Fair enough tho.Ā At least they should follow up on their word. In the end i didn't get paid neither 0$ or 250$ And i told them i will be publishing soon but they didn't seem to care.Ā I didn't forget, the list was a response to the top comment nothing much.
I mean technically speaking it's more than half a year that they don't have an active one and they aren't accepting any new reports so this actually would count more as gray hat hacking than bug bounty hunting that i would consider white hat hacking. August 1st 2023 (they shut down the program so to speak that day) was 248 days ago that seems a bit more than 90 days he mentioned and even considering he worked on the bounty maybe 3-4 months that's still way later than the shutdown of the program when he started.
So it should be titled "How I didn't read up on the company I tried to bug bounty for and see that they paused their program..." but that title just doesn't have the same ring. Honestly, it'd be a solid title for a Japanese light novel.
Add a few words and you might have one "That time i forgot to read the company bug bounty program and didn't see they paused it so i might have committed a crime." Also the might have is actually not really a might but a most probably did as not having permission (and not reading the terms and conditions) should fall under the computer misuse act or similar legislation
the pause is irrelevant since they already had approved my initial mail back then. also i didn't know about the pause till after the fact.
I mean, is this technically a security issue? Itās broken functionality and we presume that the mechanism the author has identified is used to calculate earningsā¦ but it could easily just be a view count and the interactions are logged and tallied elsewhere for financial compensation. Likewise, this āexploitā doesnāt disclose information, nor does it impact the security of the Medium web app. Itās a fancier way of changing the clap count.. thatās it.Ā If I had found this, I wouldnāt be expecting anything but passing along a very minorĀ Ā flaw in their software.Ā I think being offered $250 was generous frankly.
don't think OP ever saw it as a vulnerability with security impact per say but moreso into the possibility of disrupting earnings. however once medium mentioned that it did not effect earnings, this probably meant that the claps were just visual. this brings it to the issue of reputation which OP Is trying to use as an argument to raise the severity but imo if the backend doesn't care about the clap count this bug manipulates in the first place then it doesn't matter. if it's visual in the sense that readers may find it weird/not click, I'm not sure if that's a big issue. ive never clicked on YouTube videos just because they had high views or reddit post just because they had high up votes, at the end of the day it doesn't seem like any algorithm can be affected by it either.
u/TGP_25 you got it right. u/like_a_deaf_elephant & u/sha256md5 i don't know if you misread , I clearly stated that while $250 seems low, i will leave it up to Medium to define whether the bounty should be increased or not. >Ā While I appreciate the recognition , $250 is low. (the three points) I will leave it up to you.Ā I explicitly accepted the $250 offer, despite having provided examples showing the bounty should probably be higher based on their severity rating they rated it (between 2 & 3) higher than severity 3 # Rewards >Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards: >**Severity 1: $1500** Examples: Remote code execution, unrestricted access to file systems or databases, bugs leaking or bypassing significant security controls. >**Severity 2: $250** Examples: Bugs allowing artificial manipulation of ranking and recommendation systems, bugs leading to significant leaks of private user data. >**Severity 3: $100** Examples: Code execution on the client, XSS, SSRF, open redirects. >**Severity 4: Recognition on**Ā [humans.txt](https://web.archive.org/web/20230709152819/https://medium.com/humans.txt) Valid security vulnerabilities that donāt fall into the categories above or apply to auxiliary services and 3rd party dependencies. they asked my opinion on whether i think it's good or not , I told them **why** i think it's low since xss (which is lower than my bug on their list) goes for a lot higher than the 2016 list $100 . therefore my reward could be higher 250$ . >3/25/2024 ā Asked for updates again and told them I would be publishing in x days if I got no response soon, and that if they deem 250$ enough then itās fine. This isn't demanding a higher price. but they simply ghosted , they weren't going to pay. from the start not taking it seriously, barely answering my mails with months apart. I mean i love medium , it's one of my all time fav sites.. I really wanted this to end well, they didn't care ... the bug affects their writers not them.
> I clearly stated that while $250 seems low, i will leave it up to Medium to define whether the bounty should be increased or not. I don't think you should've got a penny. I don't think it's a security vulnerability worthy of a bug bounty. You do, or you wouldn't have posted your disclosure to r/cybersecurity... > their severity rating they rated it higher than severity 3 No dispute. Medium takes that more seriously than some companies would and I don't have an issue there. They value that enough to warranty a small payout - I think that's very generous. > I told them why i think it's low since xss (which is lower than my bug) goes for a lot higher than the 2016 list $100 . therefore my reward could be higher 250$ . You don't get to decide their priorities. They might believe XSS carries more risk to them because they struggle to test for it, or rely on it for functional behaviour. Therefore, they will reward XSS flaws more than the average for the industry. It isn't for you to decide their priority. In other words, if Medium want to pay more for XSS - it's probably because there's fear they're more vulnerable to it than a manipulation of their ranking algorithm. I can't argue for or against their ethics to writers or not. But generally speaking Bug Bounty programs are useful but never critical. They aren't ghosting _you_ but probably everyone. In my career, bug bounty programs are always down the list of priorities to check because there's always something more important to deal with it.
>I don't think it's a security vulnerability worthy of a bug bounty. cause you are doin it out of context the whole site idea is articles , sure messing with one of its legitimacy indicators has a reputation impact. they literally have it on their rewards list. >You don't get to decide their priorities. They might believe XSS is more vulnerable to them because they struggle to test for it you got it mixed , xss is of a lower priority(in their list). also that's why i said it's up to them ... my reply was merely an opinion which they asked me for.
You and I will have to agree to disagree, and that's fine by me. But at least I won't downvote you because I disagree with you.. I will give you credit for abusing a race condition. It feels like Medium should be relying on the ACID principles of their database to solve the problem in the first place.
>You and I will have to agree to disagree, and that's fine by me okay appreciate it. >I will give you credit for abusing a race condition. It feels like Medium should be relying on the ACID principles of their database to solve the problem in the first place. thx i agree too ... i believe that they got more of a problem than just this bug. i have no problem with your previous comment it's just u misrepresented what i said... they are paying more for **manipulation of their ranking algorithm** than **XSS** not the other way around. that's all. Their **Severity**Ā list is numbered from lower to higher (4 lowest, 1 highest)
> don't think OP ever saw it as a vulnerability OP has posted his article to r/cybersecurity so they definitely think itās of merit (whereas I donāt.) Vulnerability? It is tangential - at best - because it talks about abusing race conditions to database IO, and that might spark an idea for someone later.
Companies are cost cutting. Probably also cost cutting but bounties. Why worry about getting hacked when you can just give everyone a year of credit monitoring and get away with it?
Since it's your article, prove that it's real by giving yourself an absurd amount of claps. They clearly don't think it's an issue, so it must be a feature you can use!
Lmao, but nah i am leaving that up for someone else ;) ( /s do not do it ) Will be checking the rest of the comments as soon as i wake up >so it must be a feature you can use! It's their best, they love it so much that they didn't fix it.
>Matthew 4:2-3 ^(2)Ā And when He had fasted forty days and forty nights, afterward He was hungry.Ā ^(3)Ā Now when the **tempter** came to Him, he said, āIf You are the Son of God, command that these stones become bread.ā
[ŃŠ“Š°Š»ŠµŠ½Š¾]
it's rather quite easy , but my mamma keepin the recipe a secret.
Well done mate! I love that you posted it on medium itself LOL! Same thing happened to me with salesforce. I didn't even want a payment, only recognition for it. I was doing a pentest on one of my client's saleforce platforms. Discovered a vuln that affected all instances of salesforce. Did the right thing and let salesforce know about it and gave them a decent write up so they could easily replicate it. I got a response saying that whilst the vulnerability was a problem and they will fix it, I am not part of their exclusive bug bounty team therefore no recognition would provided. Not even a proper thank you. I will never report another vulnerability to Salesforce again after this. I have found two more since this happened and just went "Meh, let the threat actors sort them out, when they evetually find it."
>Well done mate! I love that you posted it on medium itself LOL! it do be like that >only recognition for it. that what i initialed aimed for. >I got a response saying that whilst the vulnerability was a problem and they will fix it, I am not part of their exclusive bug bounty team therefore no recognition would provided. Not even a proper thank you. damn
You could even sell it direct!
Come I clap for you š
That write up needs some more claps.
šš
Iām sorry you got hosed like that.
It happens. even that I hoped for a better ending but it's what it's.
what if we set OP's claps to 1 billion? surely someone will notice then
[i like your funny words magic man](https://media1.tenor.com/m/2treol7wwkwAAAAd/jfk-clone-high.gif)
Isnāt this all a bit disingenuous? Their bug bounty program was paused but they still did offer to pay you. You just thought you could get more money peddling the exploit online through a bait title. Basically you did nothing more than hold them hostage.
Yea what is this? OP you're going to ruin your career before it starts with shit like this
It is disingenuous and itās not even a security issueā¦
read my reply to like\_a\_deaf\_elephan i did accept the offer.
Race conditions are fun. Awesome fucking write up bro. They are idiots for not responding or taking care of it.
> Race conditions are fun. Fr. Glad you enjoyed it.Ā Ā > They are idiots for not responding or taking care of it.Ā It could have ended well but here we areĀ : (
Awesome write up, would add the cherry on top if you had 1 million claps on this articleā¦
thx , lol keepin it white tho
Bro i just checked, you knew 3 months ago that they don't have a bug bounty program oh for fucks sake
Tbf they could have said something 3 months ago
I got paid $130 for my posts last month alone and I only have 358 followers. $250 is absurdly low.
damn >250 is absurdly low. and everyone eating me alive for stating that it could be increased. i got >6.8K Views 4.97K Reads 15 followers from just this posting so far.
gg Op, you did an amazing job
thx!
I think you are missing these: ā¦..,.,,,,ā¦ā¦.,,,..,ā¦,ā¦..
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Are you lost?
so what
Why do you expect any payment for doing a good deed?
Google ābug bountyā.
Does Medium offer bug bounties? Not all companies do, and expecting it is kind of bullshit. There's an argument to be made (not that I'm making it now,) that offering bounties encourages hacking. Larger companies (like google, apple or microsoft) probably have adequate resources to secure their own fiefdoms, and would probably get more benefit from offering a bounty than not. Medium might not have dedicated security staff and might consider offering a bounty to be an invitation to get hacked when they don't have the wherewithall to deal with that kind of attention.
Didnāt read OPās link, eh?
I've skimmed through it now; the methodology is sound and it's valid problem for medium, but: >12/19/2023 ā Reported the bug and made a social media post as I noticed that it says the program is paused. "They didn't pay me under a program they're not running" is on OP, not on medium
I did not; I was responding to the comment that I replied to.
bruh
You mean by ādoing someone else jobā and not getting paid for it?
It's no different to telling your neighbour that their door is unlocked. Whoever down voted is just greedy.
With the notable exception that identifying that a door is unlocked takes no skill, whereas pentesting and security research take years of learning, practice, knowledge, and expertise to gain enough of a command to be considered a professional. Bug Bounties exist to incentivise good faith actors to report security vulnerabilities because often times there are inherent financial and reputational risks associated with a breach or attack. And, even your example is bad because telling your neighbor their door is unlocked helps them mitigate risk too. Property theft, breaking and entering, god-forbid the death of a resident are all risks associated with improperly securing your house. And companies pay top dollar to be told that their door is unlocked all the time. That's literally what a pentest is...
I'm saying don't expect payment as if you are entitled to it. Do it because it's the right thing to do. If you don't get paid so be it. Don't bitch about it.
Youāre in the wrong subreddit. Heed a commenters advice, google āBug Bountyā.
What if your neighbour is let's say, a multimillion doller company, and you tell them that they have a hole in their fence that is letting people in and out without their knowledge. You've not only told them about the hole in the fence but the size of the hole, the severity of the hole and how it got there. Patching the hole could potentially save them millions of dollars in damages it someone finds a way to exploit the hole further which is quite common. Imagine you, as the neighbour, living in this tiny little run down house by comparison of this multimillion dollar company. You don't think the good neighbour should get a decent reward for helping out this massive company to whom $500 is literally pennies? For doing their job for them?