Conversation

We’ve been criticized for not having a 3rd party run our bug bounty program but this is exactly why we run it ourselves. Resubmitting bugs for the bounty is the least bad thing that can happen. Worst case, the stolen bugs are sold to more serious hackers or directly exploited.

Quote Tweet

Runa Sandvik

@runasand

· Jul 1

A HackerOne employee accessed vulnerability data of customers, then re-submitted the security issues to the same customers for personal gain. Interesting report by @Hacker0x01 on the incident and investigation. hackerone.com/reports/1622449

Show this thread

7:38 PM · Jul 2, 2022Twitter for iPhone

Replying to

Exchange rankings like

@cer_live

give you double points for hosting your bug bounty with a 3rd party, incentivizing bad behavior. Those scores are repeated by

@coingecko

and others. Good list of who's at risk: cer.live

Replying to

Bug bounties are a very serious thing, why do people use 3rd parties for it?

OnChainDreamer

@OnChainDreamer

Jul 2

in theory you delegate: . two side reputation check . dealing with bureaucracy . filtering duplicates . avoiding back and forth when getting details . report standardization etc in practice you still have to do all those things, and now you have to pay a fee to the platform 🫡

Replying to

Will you be adding multiple hardware key slots if we want to add more than just one key.

Jesse Powell

@jespow

Jul 2

Yes, this is a personal feature request of mine.

Replying to

It’s probably the vaccine’s fault

Replying to

Proof of reserve should also be certified by a reputable third party especially now

moonsettler

@4moonsettler

Jul 2

wat? the whole point of proof of reserve schemes is every user can verify for themselves that they are correctly included in the merkle tree committed to publicly.

Show replies

Replying to

Rightly put. Hey Jesse, Just applied on the website. Let me know. Thanks

Replying to

👀