Not all vulnerability hunters play by the rules. There are some who are more concerned about scoring a big payday than ensuring a bug is responsibly disclosed and fixed before malicious actors can take advantage. But there are tactics that tech developers and manufacturers can employ to help steer negotiations in their favor.
In a ransomware panel session at last week’s Incident Response Forum Masterclass, experts weighed in on what to do when unscrupulous, independent gray hat researchers contact a company after identifying a vulnerability and demand a large bug bounty, threatening to otherwise publish their findings or sell it. SC Media then followed up by reaching out to additional bug bounty experts to get their own take on how to respond to such a situation.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.