FAQ

What SSD’s focus?

  1. Our focus is mainly operating systems, mobile and web browsers, we will buy most disclosures in and around our scope.
  2. Our scope changes with new and removed products – so what you see today may not be there tomorrow. Follow us on twitter for the latest scope changes.
  3. Our partners and vendors are usually looking for unknown vulnerabilities, so our focus is on Code execution, Command execution, Authentication bypass.

Why submit through SSD?

We broker vulnerabilities between researchers and companies.

Financially:

  • We pay more than bug bounty programs.
  • If a vendor does not have a bug bounty program – we are still interested in acquiring the vulnerability and reporting it to the vendor.
  • We believe researchers need to get paid for their effort and we are willing to offer higher rewards.

 

Administratively:

  • We will handle all the reporting process.
  • We will publish your research and attribute it per your instructions.

What if I want to stay anonymous?

A lot of our researchers choose to stay anonymous- it is up to you.

How much can I earn from working with you?

The amount paid depends on two different variables:

  1. How widespread is the software/hardware? Popular products typically reach higher amounts.
  2. How critical is the vulnerability? For example, if you find an unauthenticated arbitrary code execution vulnerability, you would be paid substantially more than for a Cross Site Scripting vulnerability.

What if I found a vulnerability and it is not on your scope?

We do accept bugs outside our list but will have to suggest it to the client first and get their approval before drilling down.

Got a vulnerability not on our scope? Send us an email, we can still help: contact@ssd-disclosure.com

What is your policy regarding privacy and confidentiality of researcher’s information?

We take the privacy of researchers very seriously and will never disclose any information to any third party (including customers) including any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.

What is your submission process?

Submission process

  1. You send us a brief description of the vulnerability.
  2. We may follow up with questions.
  3. We sign a contract.
  4. You send us the vulnerability.
  5. Our technical team verifies the vulnerability.
  6. We contact the vendor.
  7. You get paid.
  8. The vulnerability is responsibly disclosed and published.

If the company refuses to pay, or unresponsive. Will you still pay the researcher?

  1. The vendor signs a contract with SSD – before we provide any disclosure information. In most cases, they will not back from a contract.
  2. In some cases, we will buy your findings without the company being involved since we use the product or feel it is appropriate to do so to ensure the safety of its users.

What is the difference between SSD and Bug Bounties or other similar programs?

  1. Many of the vendors we work with will not directly communicate with researchers rather are looking for companies like ours to provide them with the onboarding and act as a broker between the researcher and the company.
  2. We can usually get our researchers the highest compensation, as we have our name and trustworthy reputation.
  3. We acquire vulnerabilities for some vendors, even if the vendor is not interested in buying them.
  4. We believe the personal touch – your submissions are managed and handled by our client and tech teams.
  5. We give you the option to stay anonymous when submitting your findings. No strings attached.

How would a researcher benefit from reporting a vulnerability to SSD instead of reporting directly to the vendor?

  1. Most vendors will not pay for all types of vulnerabilities
  2. Many of our pay-outs exceed that which vendors will negotiate.
  3. In some cases, handling by vendors can go badly, with many examples are out there. We act as the buffer.

Do you have a standard report Template?

Use this template to speed confirmation of your discovery:

  1. Vulnerability Title
  2. Date of submission
  3. Description of Product (from vendor/site)
  4. Description of Vulnerability
    • 4.1 Title
    • 4.2 Product
    • 4.3 Version
    • 4.4 Homepage
    • 4.5 Binary Affected
    • 4.6 Binary Version
    • 4.7 Binary MD5
  5. Configuration Requirements
  6. Vulnerability Requirements
  7. Vulnerability Summary Information
    • 7.1 Vulnerability Class
    • 7.2 Affected Versions Tested
    • 7.3 Affected Versions Assumed (explain assumption)
    • 7.4 Unaffected Versions
    • 7.5 Affected Platforms Tested (Windows, Linux, 32bit, 64bit, 10 RS1, 10 RS2, 2016, Ubuntu, etc.)

For more information, email us at: contact@ssd-disclosure.com

Time for reply or payment?

We aim to sort all details regarding your disclosure (assuming all needed info is provided) in no longer than 14 days. In most cases, 7 days after the agreement is signed, your payment will be processed.

Do you have a referral program?

We welcome you to join our referral program where we reward you with up to $10,000 USD per researcher you refer & start working with us.

What if I have any other questions?

Send us an email contact@ssd-disclosure.com or PM/DM us on our social media channels– It’s that easy!

Do you have an RSS feed?