X Refuses to Pay Bug Bounty On Critical Vulnerability, Kicks Out Whitehat Instead

X is broke and broken, everyone seems to already know that. But is it broke because it’s broken, or broken because it’s broke? It seems the platform, under the helm of owner Elon Musk, just can’t keep itself from making bigger problems. Now, it’s refusing to pay whitehats in its bug bounty program.

One such whitehat is X user @rabbit_2333, who found an XSS vulnerability in the platform’s analytics subdomain that can basically let hackers take over any account. @rabbit_2333 claims that he reported the massive vulnerability but X dismissed the report, saying they’d known about it for a year and were already addressing it, adding it “decided that this report is not eligible for a bounty.”

This was when @rabbit_2333 decided that if X can shrug this bug report off, then he (or she) can break protocol and make the discovery public. 

Also, if X had known about it for a year and haven’t fixed it, then it must be not that big of a deal, right? After @rabbit_2333 posted about the vulnerability and it went around developer circles, Chaofan Shou, co-founder of the smart contract analysis platform Fuzz.Land, posted a demo of just how potentially critical the bug is.

Shortly after, X patched the vulnerability … and kicked @rabbit_2333 from their bug bounty program for violating the HackerOne code of conduct for posting about the vulnerability.

Bug bounty programs are a way for companies and developers to reward ethical hackers or whitehats for successfully discovering and reporting bugs or vulnerabilities. It lets companies, like X, privately engage the hacker community to, well, get the bugs out, and improve the security of their systems.

So if, especially at their stripped-down state with fewer developers, they’re no longer compensating ethical hackers — even for something as critical as the vulnerability that @rabit_2333 spotted — just imagine what else could go wrong.

But yeah, Musk thinks advertisers leaving is Media Matters’ and the mainstream media’s fault.

Information for this story was found via X, and the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.

Leave a Reply