June 18, 2022

The ugly side of collaboration in bug bounties

TL;DR when money is involved, things can get ugly. Your best bet is to be clear about the terms up-front and stick to the 50/50 rule. Don't share information with people you don't have the privilege to.

The thing that frustrates me about the bug bounty community, is that everyone wants to talk about how great collaboration is, however no one wants to talk about the toxicity that sometimes arises. As someone who has been doing bug bounties for over five years, and has collaborated with a lot of great hackers in the scene, I've thankfully been able to avoid most of this toxicity by being very careful about the following things:

1) Who knows about the research
2) Being up-front about the terms regarding the research
3) Doing 50/50 splits (industry standard)
4) Don't share things like bounty amounts of your research to avoid attention

Being inside a number of Slack groups where we are transparent about this research, we often notice that there are a few people that will try their best to learn about the vulnerabilities/techniques/research without contributing to it, and in some cases, people who get upset because they cannot also cash out on the research, especially if they were shown what the research was.

At this point, I have learnt that the best way forward is being extremely careful about who you share your research with, even if you're excited about it and want to show a friend how cool it is, once shown, they usually expect that they are able to use that research themselves to capitalise on it.

Setting boundaries is fine, but in some cases, people take it harshly. Situations can be complex, you may have been working on the research with someone else and you probably shouldn't have shared details about the research to a third party (i.e. friend). Navigating this social complexity can be difficult.

I have been put in situations time and time again where the toxicity of the situation leads to stress, mental health issues and worsens relationships in the long term. Sometimes, it's gotten so bad that I've blacklisted people from collaborating with them ever again (this works, but you have to be burnt once before you can employ it).

Anyways, that's all. I love collaborating with hackers but sometimes I have sour experiences that make me question why I do bug bounties in the first place. I know that prominent bug bounty hunters are conscious of this, and I am sure most prominent bug bounty hunters have a story where they have experienced this toxicity.

I'm not sure if platforms can do much about this as this problem is closely tied to human nature. I'd be happy to hear if anyone has additional ideas around avoiding toxicity in collaboration, whether its technology or principle based.