Sunday, August 18, 2013

Yo Bug Hunter, whatcha going to do if your confirm-a-bug got rejected?!

Hi guys, Its been a while. Lately there's a havoc regarding a person named Khalil got his Facebook Bug submission got rejected. In case you dont know it yet, read it Here Hmm..this case quite similar to the 13 year old guy that got his Paypal bug rejected previously.But this 13 year old bug afaik, his bug already found by somebody else. But still, since both of them (Khalil and this guy) make a Public Disclosure, the Bug Bounty Program might get some impact on it. Maybe researcher will try to avoid to join their BB program after this. I did give a comment on this when Casey the founder/CEO of Bugcrowd ask in one of FB Group.


To be honest, even I had some experiences when my bug rejected not just from Facebook,also from Paypal,Google and even Bugcrowd! :P Why this happen? For sure these are some reasons why mine got rejected;

1 - Not in scope. Rules violation
  Read the rules first to check what is in scope and what is not!!

2 - Lack of techies step to let their side to reproduce the bug.
 Please,their side need to counter at least more than 100+ reports per staff..so,we want their reward, we need to help them as well.

3 - The impact is not worth to be called as bug!
 Here are some shots for my rejected bug.

So, whose fault? I dont blame much to any side. Just took it as another experience with BB program. So next time I wont repeat the same thing. But, in case your bug is really a BUG! and they said it as "Not a Bug" or "No Impact", proof to them! As what happen to me recently with Paypal BB Program. I found a Self/Stored XSS in Paypal's domain and give them the step to repro it as usual. But, this what I got in my latest status update!


My bug claimed by them as invalid?!! I ask them and this is their reply.



Because I dont really agree with them, I ask them to recheck on it with a more details on the issue. I got a good response from them, and they ask me to show the impact with a proper step. I did,and this is the result;


Now I can sit back and relax..time to hunt another bug..soon.. :)