HackerOne billboard on display in downtown San Francisco, showing hacker @randomdeduction, known in the physical world as Jesse Kinser. (Photo courtesy of HackerOne).

Not all vulnerability hunters play by the rules. There are some who are more concerned about scoring a big payday than ensuring a bug is responsibly disclosed and fixed before malicious actors can take advantage. But there are tactics that tech developers and manufacturers can employ to help steer negotiations in their favor.

In a ransomware panel session at last week’s Incident Response Forum Masterclass, experts weighed in on what to do when unscrupulous, independent gray hat researchers contact a company after identifying a vulnerability and demand a large bug bounty, threatening to otherwise publish their findings or sell it. SC Media then followed up by reaching out to additional bug bounty experts to get their own take on how to respond to such a situation.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.