top | item 6839263

(no title)

I'm responsible for information security at one of the other startups listed on BugSheet. As a heads-up, you're going to want to ask bugcrowd.com to remove your company from their list [1], also. We saw a pretty steep increase in the number of daily reports when first listed (4-5/day to >30/day) and it appears someone recently added your company to their site.

I'll also echo what droopybuns stated - creating templates that can address preliminary communication (duplicates, request more info, accept, etc.) will greatly reduce the amount of time you feel as though you are wasting. Some people I know tend to ignore the crazy ones but I generally prefer the "kill them with kindness" approach. One email explaining that you do appreciate the time they spent trying to help secure your site can do a lot to prevent harassment and potential bad press.

Best of luck - responsible disclosure programs are never fun for the person sifting through the reports but once in a while they do expose actual vulnerabilities and on those days, I'm happy we do it.

[1] https://bugcrowd.com/list-of-bug-bounty-programs

discuss

pwim|12 years ago

Thanks for the advice. I noticed bugcrowd has a mailing list with 4100 researchers that get notified when a new site is posted, so I hope it is not too late...