Tamas K LengyelJan 18, 2024
@alex_02 @WPalant @thisismissem I agree, but the reality is that you are better off just ditching that vendor if they won't fix the issue. Then why not publish the issue anonymously? If you aren't going for a bug bounty what is there is to gain by attaching your name to it?
Show threadCloverJan 19, 2024

@tklengyel so your proposal is that when someone finds a severe security issue they should just stop using the service themselves then anonymously publish it publicly?

I suppose that is one way of doing things “fuck every company that won’t pay me for finding an issue”.

Though, overall, this would result in more vulnerabilities being exploited instead of fixed before they are exploited by bad actors

@alex_02 @WPalant @thisismissem

Show threadnbkt

@Clover

I think it would, and rather quickly, result in a lot more bug bounty programs.

@tklengyel @thisismissem @[email protected] @WPalant

Jan 19, 2024 at 3:43pmFedilab
Show threadWladimir PalantJan 19, 2024

@nbkt Bug bounty programs aren’t the great solution you seem to think they are. For way too many companies it’s just another way of covering their ass without actually doing anything. Almost every bug bounty program prohibits you from publishing your results until the issue is fixed, often enough you cannot publish without permission even after that. And if the vendor takes years to fix (which they do quite frequently because nothing is stopping them) or if they even reject your submission under some pretense – you are out of luck, there is no legal way for you to publish any more. I pretty much never report issues via bug bounty programs because of that.

@Clover @tklengyel @thisismissem @alex_02