Open in app

Sign in

Write

Sign in

How Bug Bounty Programs Scam Hackers and Get Away With It!

Sirat Sami (analyz3r)
8 min readMar 1, 2025

--

Hi, my name is Sirat and I am an active hacker on HackerOne platform.
Today I wanted to share this story and talk about some kind of scam tricks that being used by bug bounty programs currently, due to my sickness of it I decided to write this story so at least I will get rid of some of my rage…

A Short Reminding.

Bug bounty programs exist to improve security by allowing ethical hackers to find and report vulnerabilities before malicious attackers exploit them. The main goals are:

  1. Crowdsourced Security — More eyes on a system = more vulnerabilities discovered.
  2. Cost-Effective Testing — Companies pay only for valid findings, unlike full-time security audits.
  3. Proactive Defense — Fixing bugs before they become security incidents.
  4. Legal & Responsible Disclosure — Encouraging ethical hackers to report instead of selling exploits.

Hackers participate in bug bounty programs for several reasons:

  1. Financial Rewards — Bounties can be a full-time income or a side hustle.
  2. Recognition & Reputation — Building credibility in the security industry.
  3. Skill Improvement — Real-world hacking experience on live targets.
  4. Ethical Hacking & Impact — Helping secure systems instead of exploiting them.

A good bug bounty program and ethical hackers should operate in a mutual partnership where both sides benefit. Here’s how they should work together properly:

1. Clear Program Rules & Scope

🔹 Program’s Role: Clearly define what is in-scope, out-of-scope, and reward guidelines.
🔹 Hacker’s Role: Follow the rules, test within scope, and submit well-documented reports.

2. Fair & Transparent Triage Process

🔹 Program’s Role: Acknowledge reports quickly and have skilled triagers evaluate them fairly.
🔹 Hacker’s Role: Provide detailed proof-of-concept (PoC) and explain the impact clearly.

3. No Silent Patching or Unfair Dismissals

🔹 Program’s Role: If a report leads to a fix, the hacker should be rewarded accordingly.
🔹 Hacker’s Role: Give companies time to fix before disclosing responsibly.

4. Reasonable Communication & Response Time

🔹 Program’s Role: Respond within a reasonable timeframe and provide clear explanations.
🔹 Hacker’s Role: Be patient but persistent if something seems unfair.

5. Respect & Ethical Conduct

🔹 Program’s Role: Treat hackers with respect and not exploit their work for free.
🔹 Hacker’s Role: Act professionally, avoid unauthorized access, and report vulnerabilities responsibly.

What Happens When a Program Breaks This Trust?

  • Hackers feel scammed and stop reporting vulnerabilities.
  • Programs lose credibility, and security issues remain unfixed.
  • Ethical hackers may be forced to expose unfair practices.

How the Programs Scammed Me.

Those stories are based on my experience and the people I know, all of those scams are happened on HackerOne platform, I won’t disclose any names.

The Indian scam.

The first scam I faced was a really embarrassing scam by the program, it was a critical vulnerability for an Indian program and its pretty famous, I have started looking at the program scope before everything and I knew what is exactly oos and in scope I so don’t waste my time.
There was a login function on their web application, the authentication was only protected by a OTP, it had a rate limit mechanism and I was able to bypass the rate limit, the vulnerability allowed me to takeover any user’s account without any user interaction and of course I reported it.
Hackerone triager reviewed the report and changed the status to triaged, after a few hours another triager joined the report and close the report as informative (This is an out of scope vulnerability) the triager said.
What was they mentioned in the out of scope was (Missing rate limit/brute force attack) but my vulnerability wasn’t it, I was able to bypass a rate limit that used to secure a very sensitive function.
After getting shocked and writing many comments, no one replied me, so all I had to do was requesting mediation with hope of HackerOne may help me.
After a few days, the vulnerability was already fixed and there are still no reply by anyone except the hackerone’s support bot, after like 6 months I got an email from HackerOne mediation and told me the program is right and Im wrong, this is an oos vulnerability that I have reported…
Everyone who has a good experience with bug bounty programs can tell this is a clear scam, and what I reported was a valid vulnerability and it isn’t oos.

The ghosting scam

Another scam, some times the program report managers (triagers) are just ghosting, I reported a critical logic flaw that allowed me to join any victim’s organization with 0 user interaction, HackerOne triaged it, the severity changed to high, after like 2 weeks and writing almost 10 comments (is there any updates?) the program triage team joined the report.
Thank you, we are currently investigating the vulnerability they said, the investigating took like 2 months and there are still no updates on the report, I wasn’t aware that the vulnerability has already been fixed, I requested HackerOne mediation and there are no reply from the support, after like 4 months, the program closed their program.
The program’s goal was only to receive some vulnerabilities by hackers, then ghosting, then closing their program and get away with that, so they will have free vulnerabilities.

The one who acts like stupid.

There are triagers who has experience like 10 years in cyber security, but when you submit a html injection, they always request need more information, and finally closing the report due to the vulnerability cannot be reproduced.

The out of scope scam, the common scam.

There are some programs (I can tell almost all of them), they are using this kind of trick to scam hackers, what they do is they eg put a such vulnerability to out of scope Third party websites such as blog.target.com are out of scope when you read this mention, you know this is could be an out of scope stuff because they may not have access over it and they cannot fix the vulnerabilities on that kind of asset.
So, you are doing some recon and you will find a leaked credential such as api token on a github repository that leads to a critical vulnerability on the target company and you report it.
After reporting the vulnerability and being triaged by HackerOne, the program’s triager comes in, they close it as N/A, why? here is what the comment looks like:
“Thank you for your report, we have mentioned third parties as out of scope.”
So they use the out of scope mention as a trick to not accept the vulnerability, and of course the very next day the vulnerability is fixed, when you ask why you fix the vulnerability, they say they haven’t done anything, WOW what a miracle! the vulnerability fixed just by itself when you reported it…

The N/A scam.

Using N/A to avoid paying, this is happening a lot to me, when you submit a valid vulnerability, some times the scammers doesn’t want to fix it and leave it just like that as shit, or some times when they want to fix it without by scamming you, they close your very valid vulnerability as N/A.
They close it as N/A because they know that you care about signal, especially if you have a high signal they know that works better for you, you are starting begging to change the status to informative instead of accepting the vulnerability, and by this the vulnerability will be forgotten but the very next day or month, the vulnerability is been fixed by a jesus miracle.

Do request mediation really works?

There are tons of scam types that being done by bug bounty programs, and HackerOne mediation are always on their side, let me give you one recent examples.
A few days ago, I have reported a high severity report to a public bug bounty program it is accepted and they paid for it, very fortunate, the very next day I found another vulnerability on another one of their asset, it wasn’t same but it was sharing the same impact, I also got paid for it and it was a high severity bug.

After like a week, I found another similar bug, on another asset of their program, it was sharing same impact, again high severity, and I reported it.
One of the very famous triagers of HackerOne, that known as the N/A guy who always closes the reports as N/A, joined the report and requested more information and asked me to explain how is that works, after answering like 4 request more information, he didn’t know how to make the vulnerability useless, then closed the bug as informative, it is a self issue he said while I had a poc that showed the bug was working for global and he watched it twice.
What did I do? of course another useless request mediation, the next day the support team replied to me and told me this is an out of scope bug in the program while it is not, and this bug was not even mentioned in the oos.
I have many request mediation that I requested last year and many of them are closed without any response, the request mediation is very controlled by the programs and their customers, they cannot break their customer hearts.

How to detect and avoid scammer programs?

there are some red flags, as example their Response efficiency is very low, they put so much stuff in oos, there are many rules, etc..
I believe that working on programs that allows disclosure are better, there is been scammers who told me doesn’t disclose my report for bullshit reasons, but at least you can share the story on medium or anywhere else.

Some times you just can let it go…

What should change?

We need a platform that really supports its hackers and loves its hackers, what I see in current platforms are they don’t really care about hackers and what they care about is only customer…

Its can be possible to add review feature, just like how you go to a restaurant and how stars you give it, i do believe a such feature can make things much better by a single review to a program, so hackers can know the program’s reputation and if it worth wasting time for.

I Respect Everyone

I hope bug bounty move to its best level, and I hope I can see things getting better.

I really don’t hate anyone and I enjoy HackerOne, but when things getting bad they don’t work as they supposed to do and things are being terrible on that platform, I haven’t disclosed any program names but only for now.

This story is for everyone who believes they have been scammed by those bug bounty programs, Also programs who thinks like hackers are rocks and they don’t mind such stuff.

I hope this story will be a useful source for everyone and I hope one day everything be better, Thanks.

Bug Bounty
Scammer
Hackerone

--

--

Sirat Sami (analyz3r)
Sirat Sami (analyz3r)

Written by Sirat Sami (analyz3r)

535 Followers
298 Following

Full time BugHunter

Responses (8)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams