It's a nerve-wracking situation - one that we've all seen in the news too many times - that most teams would rather not deal with, especially if the hacker is demanding payment. After all, your team will have to spend time validating the bug, then see if the vulnerability is actually worth anything, and then figure out if the hacker is legit. And if the hacker goes rogue, then you'll be making the news - and not in no nice way.
Short of panicking or ignoring the potential threat, what you can do is more accurately assess how much a bug is worth with this guide. In it, we'll show you how vulnerabilities should be prioritized on a scale of 1 to 5 based on your organization's security maturity and whether a cash reward is warranted.
Armed with this guide, you and your team have will have concrete steps for dealing with vulnerability findings, especially if you're thinking of setting up a responsible disclosure program or already have one and aren't sure of market rates for bugs.