Can bounty hunting cause real damage?
Sure. As you pointed out, some attempts at SQL injections may inadvertently cause data deletion. Similarly, a persistent XSS attack may affect other real users. Or unexpected characters in a username may crash a web application backend due to an unrecoverable error.
More generally, a large part of black box pentesting involves experimenting with unexpected/invalid input to the target application. There is usually some level of fuzzing which always carries a risk of causing behavior that breaks the application or corrupts data. So, while blindly trying out
DELETE queries may be reckless and is certainly avoidable, you’ll have to expect that even benign bug hunting occasionally impacts service integrity or availability.
Did a bounty hunter ever cause actual damage?
This report is an example of where the researcher caused a DOS by submitting invalid data. I’m entirely sure there are more severe examples, many of which simply weren’t made public.
How do bug bounty programs manage this risk?
A testing environment. While some bug bounties assume you’re testing against production, many provide a separate sandbox and only allow you to test there. E.g., the program of Bitmex includes the rule:
Only test on testnet.bitmex.com.
A “responsible research” policy which asks that hunters make an effort to avoid damage. E.g., Facebook’s program demands:
You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
An emergency contact point. Some providers instruct hunters how to notify them immediately if their actions caused service disruption. From the program of Exodus:
If you do accidentally cause some noticeable interruption of service, please immediately email us so we can handle it accordingly firstname.lastname@example.org and please include the subject title “HackerOne Outage: ” for the alert to trigger.
In return, many program policies come with a safe harbor clause. This is intended to protect hunters from liability if they act in good faith, even if their actions caused damage. Since IANAL, I can’t comment on the effectiveness of such a policy, but it’s an established practice. Here is an example of a safe harbor clause in the program of Dropbox:
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.