With our bug bounty program we also state that researchers should not access customer data or interrupt normal operation of the services. If their testing is believed to impede normal operation we can provide separate servers for testing purposes.
We also provide a test account upon which researchers can use if they wish to attempt to modify or read private information. They should stick to that data and I'd encourage other bug bounty programs to do similar.
In my eyes this researcher should've stopped as soon as they started seeing private data and reported it, it sounds as though they continued to read private information well after they realized it was private data they were viewing.
I realize not every bug bounty program plays fair. We look specifically at our bug bounty triage team (via the platform we use) to make sure we are treating researchers fairly and that researchers are obeying the agreed upon rules. They're the neutral third party in our eyes. They keep us honest and researchers honest. At least that's how I approach it all.
That’s cool. It’s so important for bounty programs to have a systematic way to approach awards. The security researcher community overall is very cool, but there are definitely some assholes and bottom feeders out there that can get under your skin and introduce bias in your decisions.
We also provide a test account upon which researchers can use if they wish to attempt to modify or read private information. They should stick to that data and I'd encourage other bug bounty programs to do similar.
In my eyes this researcher should've stopped as soon as they started seeing private data and reported it, it sounds as though they continued to read private information well after they realized it was private data they were viewing.
I realize not every bug bounty program plays fair. We look specifically at our bug bounty triage team (via the platform we use) to make sure we are treating researchers fairly and that researchers are obeying the agreed upon rules. They're the neutral third party in our eyes. They keep us honest and researchers honest. At least that's how I approach it all.