Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap
Found on The Register on Friday, 10 August 2018
The antivirus giant duly fixed up the blunder when a researcher reported it via the biz's bug bounty program – for which he received zero dollars and zero cents as a reward.
A spokesperson for Kaspersky Lab has been in touch to say the VPN tool is completely outside the scope of the bug bounty.
Obviously that bug was realistic and serious enough to get patched; yet Kaspersky still claims that it's not worth a single cent. That leads to a pretty simple conclusion: it's better to try and sell bugs and exploits (at least for Kaspersky products) to blackhats instead who do value your discoveries.