frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Ask HN: Bug Bounty Dilemma – Take the $$ and Sign an NDA or Go Public?

16•deep_thinker26•14h ago
Hi everyone,

I recently found a high-criticality vulnerability in a listed consumer company in the UK. It allows unauthorized access to users’ private messages and even lets you impersonate other users on the platform.

They’ve offered a €1,000 bounty, but only if I sign an NDA that prevents any public write-up—even after the issue is patched.

I feel the bounty is too low for the impact, and asking to sign an NDA that prevents any public disclosure even post-fix feels like a big red flag.

I’m leaning towards declining the offer and doing a public write-up once the issue is fixed—but I’d really welcome opinions from others on what the right thing to do here is.

Thanks!

Comments

deepak-singh•14h ago
Your leaning feels correct, and more if the listed company deals with health or financial data where personal data and privacy is of utmost importance.

User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.

Non-disclosure even after patch is surely a big red flag.

In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.

deep_thinker26•2h ago
Thanks for the reply — really appreciate it.

The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.

I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.

I’m leaning toward a public write-up after giving them fair notice.

One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.

NitpickLawyer•13h ago
> and doing a public write-up once the issue is fixed

I'd also check with UK laws, as even that might be close to gray-ish territory if they're willing to go after you. Litigious companies are a pain to work with. Especially if they seem to be looking for no bad PR. Worth a few hours of research, maybe reach out to a non-profit and see if they can help?

gtsteve•12h ago
1k sounds like a discretionary amount that would quite neatly fit within a manager's budget for external consultants and so on, which is probably what they'll say you are when accounting for it. They're trying to fly under the radar, and have likely kept this knowledge to only a few people.

The organisation will never change their ways unless they get bad publicity or have to spend so much money that their c-suite gets involved.

I would be wary of trying to negotiate the payment upwards in case you are accused of extortion; just explain you'll disclose publicly in 30 days, which is more than enough time to fix what I assume is a web app backend bug. You don't want them dealing with this kind of issue as a feature to be implemented when there's space in one of the future sprints.

They may try at this point to negotiate the payment upwards, which is a matter for you and your conscience, but I would say that if you don't get something close to 100k, it's likely to be swept under the rug internally and they'll never learn from their mistakes.

indianmouse•3h ago
This is exactly how bug bounty hunters are being exploited for.

Though it is on the good side about disclosure, calculate how much financial, reputation impact, negative publicity would cost the company and settle for a fair price and not a measly sum of 1k EUR.

It is a huge red flag to keep it under the radar if they think the impact is going to be high. I'm sure it is high and that's the reason they want to keep it undisclosed while they silently patch it.

One question: Was the discovery part of a bug bounty program? Or you stumbled upon it without any actual request? I'm trying to see the legal angle that might get down played there if you do not have the authorization to look at it.

Being ethical is the only advantage I see if that is the case. Else, you should negotiate and demand a fair price and go for a public disclosure which will cause more harm than good for them.

Everything has a price. Nothing in this world is free. Contact some good lawyer.

Don't ever sign an NDA without vetting it out with a good lawyer. Fine prints matter a lot.

As some of the fellow HNs mentioned, they will probably be looking at a huge impact and the reason for the NDA and a low sum as a token appreciation. They think they can buy their way being a corporate, any my advice would be to talk to some lawyers or contact a non-profit to help sort things out.

Probably you could donate a % to them if you get a good amount.

Hope you get what you deserve.

deep_thinker26•2h ago
Thanks for the thoughtful reply — really appreciate it.

I actually stumbled upon the vulnerability without any prior request. They don’t have an active bug bounty program, and the Head of IT Security I’m in touch with mentioned they don’t have dedicated funds for security researchers — which is hard to believe for a company with a £200M+ market cap.

I’ll definitely dig a bit deeper into the legal side.

Based on all the suggestions here, I’m leaning toward quoting them a fair amount considering the impact. If they don’t agree, I’ll likely reject the NDA and do a public write-up after a reasonable disclosure window.

One thing I forgot to mention earlier as of today — the vulnerability is fixed (I reported it around 3 weeks ago), not sure if that changes anything leverage wise.

drewbitt•2h ago
At that amount, I would decline and state that you will be releasing the write-up in the coming weeks. I don't know the laws of the UK, though.

Google fails to dismiss wiretapping claims on SJ, settles with app users

27•1vuio0pswjnm7•2h ago•1 comments

Ask HN: New RevOps guy wants to switch us from M365 to GSuite+Slack

3•9dev•38m ago•0 comments

Ask HN: What's Your Experience with Vibe Coding?

2•techlust•56m ago•1 comments

Ask HN: How did Soham Parekh get so many jobs?

296•jshchnz•1w ago•404 comments

What's your experience using Lynx (mobile framework)?

5•isntThatSth•5h ago•0 comments

Ask HN: Does your on-call rotation suck? Can I join it?

6•asciifree•9h ago•5 comments

Ask HN: Bug Bounty Dilemma – Take the $$ and Sign an NDA or Go Public?

16•deep_thinker26•14h ago•7 comments

Tell HN: I Lost Joy of Programming

76•Eatcats•1d ago•104 comments

Ask HN: Do you think a new alternative to MCP would be useful?

5•empire23•15h ago•2 comments

Ask HN: People who work different timezones than your company. How sched?

14•tetris11•1d ago•21 comments

Ask HN: What are some cool or underrated tech companies based in Australia?

8•hao_liu•21h ago•2 comments

Pocket LLM Server Just Like a Pocket WiFi

3•itstomo•18h ago•3 comments

Ask HN: How is the tech scene in LA?

15•asdev•2d ago•26 comments

Proposal: GUI-first, text-based mechanical CAD inspired by software engineering

27•thinkmachyx•4d ago•50 comments

Ask HN: What's the verdict on GPT wrapper companies these days?

13•NewUser76312•2d ago•15 comments

Ask HN: Any resources for finding non-smart appliances?

155•everyone•2d ago•132 comments

Ask HN: Has anyone else learned English just by reading tech posts (like HN)?

11•FerkiHN•1d ago•7 comments

Ask HN: Worth leaving position over push to adopt vibe coding?

76•NotAnOtter•4d ago•90 comments

Agentic terminology doesn't make any sense

4•mathewpregasen•1d ago•2 comments

Ask HN: What are some cool or underrated tech companies based in Canada?

87•pedrodelfino•1d ago•56 comments

N8n AI Workflows – 3,400 Workflows and an LLM Prototype

12•sayedev•1d ago•3 comments

Ask HN: Advice for Starting a Hacker Space?

35•pkdpic•3d ago•36 comments

Ask HN: What's the greatest piece of non-dogfooded software?

6•nathancspencer•2d ago•8 comments

Ask HN: What inspires you to persevere through adversity?

15•justanything•2d ago•18 comments

Ask HN: Brick and Mortar Dev Agency

3•takklz•2d ago•1 comments

Ask HN: Do you use LLM for HTML translations?

2•Mooty•1d ago•4 comments

Are there any noteworthy LinkedIn alternatives?

4•junaidkhalid•1d ago•15 comments

Ask HN: Is every company's internal wiki just broken by default?

28•NanaAmun•12h ago•42 comments

Ask HN: Took a break after burnout – what now?

9•BugsBunny1991•1d ago•15 comments

Ask HN: How to generate product docs E2E?

4•sarabande•3d ago•1 comments