I recently found a high-criticality vulnerability in a listed consumer company in the UK. It allows unauthorized access to users’ private messages and even lets you impersonate other users on the platform.
They’ve offered a €1,000 bounty, but only if I sign an NDA that prevents any public write-up—even after the issue is patched.
I feel the bounty is too low for the impact, and asking to sign an NDA that prevents any public disclosure even post-fix feels like a big red flag.
I’m leaning towards declining the offer and doing a public write-up once the issue is fixed—but I’d really welcome opinions from others on what the right thing to do here is.
Thanks!