I recently found a high-criticality vulnerability in a listed consumer company in the UK. It allows unauthorized access to users’ private messages and even lets you impersonate other users on the platform.
They’ve offered a €1,000 bounty, but only if I sign an NDA that prevents any public write-up—even after the issue is patched.
I feel the bounty is too low for the impact, and asking to sign an NDA that prevents any public disclosure even post-fix feels like a big red flag.
I’m leaning towards declining the offer and doing a public write-up once the issue is fixed—but I’d really welcome opinions from others on what the right thing to do here is.
Thanks!
deepak-singh•14h ago
User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.
Non-disclosure even after patch is surely a big red flag.
In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.
deep_thinker26•2h ago
The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.
I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.
I’m leaning toward a public write-up after giving them fair notice.
One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.