In r/bugbounty, hunters weigh the time cost and reputation impact of submitting low severity IDORs, noting small payouts, triage friction, and frequent downgrades that can make reporting feel unrewarding.
Do you submit lows? Just found two IDORs that both expose minimal PII.
On one platform I'd get $1–40 for it 🤣 which might not even be worth the hassle of writing the report.
On the other platform it would actually drag down my impact rating.
I have generally only reported high and above, because I can't be arsed with dealing with triage for $200.
a token $50 "fuck you" awarded.
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new authority voices, debates, and emerging ideas.
← Back to Cyber Security