Tell HN: Internet Bug Bounty (IBB) on HackerOne Appears Dead, CVEs Unpaid
9 points
1 day ago
| 2 comments
| HN
I figured out this might be a good place to ask/raise this.

This is about the IBB program:

https://hackerone.com/ibb

A few months back, I reported two vulnerabilities that should get a $8000 payout or so. They got CVE numbers and got fixed months back.

It seems like the program is dead. Last report has been resolved 8 months ago. I have tried repeatedly to contact HackerOne through different channels, but got no response. This includes e-mailing the official IBB e-mail, e-mailing HackerOne people directly, reaching out through their forms and using mediation. There's total silence.

I searched social media for any mentions of this, but didn't see any communications.

It looks like the program is dead. The bounties are still being promised, but the reports are ignored - even for published CVE's that clearly do qualify for payouts according to the rules.

Does anyone know more about the situation? What shall be done here? Is the program dead?

jll088
1 day ago
[-]
I'm cybersecurity editor at The Register and would like to hear more about what happened - can you get in touch via email (jessica.lyons@theregister.com) or signal jess.825
reply
whatamidoingyo
1 day ago
[-]
That's why I stopped going to HackerOne. My first 3 reports were marked as duplicate. The last report on there was an auth bypass, essentially. They replied: "But you need to show what can be done beyond this". Like, wat? You want me to do some real damage before accepting it (hackerone managed)?

Those were my only reports on the platform before I gave up. Then I went to BugCrowd, submitted a report and it was accepted.

reply