I don't understand why so many bug bounty programs just outright ban public disclosure. Which do you think looks better for you - researchers who'll talk about how responsive you were, or researchers who'll just drop 0 day because you wanted to forbid them from talking about it?
-
-
Prikaži ovu nit
-
Bluntly, the benefit to my career in being able to discuss a bug publicly is almost certainly greater than the amount you're going to pay me.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Exactly. This also allows silent bug fixing. Or no fixing at all. To their own liking. The burden to be "responsible' is shifted to the researcher only. They can get away with the fixing part as it is not public, while being praised for running a bug bounty. I'm done with it.
- Još 2 druga odgovora
Novi razgovor -
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I complained about the netgear bug bounty T&Cs at defcon this year while I also spoke about some bugs https://youtu.be/MD9zS1GMlK8?t=1442 … It was a pain to get them to do anything over email rather than through the bug bounty. I'm not entirely sure if they've even fixed the bugs tbh
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
How long until the “we take security seriously” ... in 3 .. 2 .. 1
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
Tweet je nedostupan.
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.