Pwn2Own competition rules are flawed. I am happy to announce that I will start a better owning competition (without BS rules) later this year or next year. More details will be published soon.https://twitter.com/ihackbanme/status/1108529066703908864 …
-
-
Replying to @ihackbanme
The rules have good reasons though - they need some way to disincentivize people submitting the same bug to different parties and "double dipping", so the general rule is only first counts. If you award anyway, they can submit it everywhere and you got old bugs for your money
4 replies 0 retweets 9 likes -
Replying to @taviso
1. There's no transparency from the vendors that can say: we already knew about a bug - as long as it's not fixed (even in a beta version) just knowing doesn't mean anything. 2. Old bugs are also meaningful for defensive purposes imo- depends on what is the usage.
2 replies 0 retweets 3 likes -
Replying to @ihackbanme
What transparency do you propose? If it has to be patched, then you just share the bug with a friend and submit it simultaneously and get double the award. I know the people who run these programs have game theoried this stuff to death
1 reply 0 retweets 6 likes -
Replying to @taviso
If it's patched in a beta, that's transparent. Otherwise, when they publish the release notes, adding submission date is also acceptable. In Apple's case there's no double earning since there isn't really a bug Bounty program afaik. And yes, of course, Hackers gonna hack :)
3 replies 0 retweets 4 likes
Some vendors are already open about it after a patch is available, others will never be (A cynic might say they don't want anyone to know how long they sat on a vuln) - but I don't see the benefit, you still have to trust the vendor to be honest. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
If it works on latest version, it's a win !