How to turn a non-applicable vulnerability into an accepted one in bug bounty hunting

1 year ago 57
BOOK THIS SPACE FOR AD
ARTICLE AD

It happens and it can be annoying when you’re very certain that you are onto something valuable. A bug bounty program may initially mark a reported vulnerability as “non-applicable” if it does not meet the program’s criteria or does not pose a significant risk, or if the triage person is not able to really see the risks that a given vulnerability presents. However, it may still be possible to turn a non-applicable vulnerability into an accepted one by taking the following steps:

Gather additional evidence: If you believe that the vulnerability is valid, gather additional evidence to support your claim. This could include screenshots, videos, or detailed descriptions of the steps taken to reproduce the vulnerability.Provide context: Provide context around the vulnerability to help the program understand its potential impact. Explain how the vulnerability could be exploited and what the potential consequences could be.Be persistent: If the program initially marks the vulnerability as non-applicable, don’t give up. Continue to communicate with the program and provide additional evidence or context if necessary.Follow up: If the program still does not accept the vulnerability, follow up with them periodically to see if their position has changed. This can help keep the vulnerability on their radar and may eventually lead to its acceptance.Consider responsible disclosure: If the program still does not accept the vulnerability and you believe it poses a significant risk, consider responsibly disclosing it to the affected organization. This can help ensure that the vulnerability is addressed and can also help build your reputation in the bug hunting community.

Overall, turning a non-applicable vulnerability into an accepted one requires persistence, evidence, and effective communication with the program. By following these steps and maintaining a professional and respectful attitude, you can increase your chances of success and help improve the overall security of the program.

Read Entire Article