Educause Security Discussion mailing list archives
Re: Open Bug Bounty?
From: "Jimenez, Julio" <jjimene2 () UNCFSU EDU>
Date: Mon, 27 Jun 2016 19:45:17 +0000
Shane, If the bug bounty notice you received contains real vulnerabilities and you didn't request it, then that's not cool. Similar to a "cold call" from a vendor, this is like a cold-scan or a cold-pentest on your sites. A lawsuit and/or criminal case waiting to happen. The bug bounties I've participated in have very specific parameters by the company on what and how you can pentest. These are normally conducted via third-party sites like Bug Crowd and H4ckerOne. Julio Jimenez Information Security Engineer ITTS Fayetteville State University Sent from Outlook<https://aka.ms/qtex0l> On Mon, Jun 27, 2016 at 3:29 PM -0400, "Shane E Williams" <shane.williams () UTEXAS EDU<mailto:shane.williams () UTEXAS EDU>> wrote: We received a notice from Open Bug Bounty (openbugbounty.org<http://openbugbounty.org>) recently, and I notice that many of the latest submissions listed on their pages are educational institutions. Does anyone have experience with and/or opinions about this program? In many ways, I think what they're doing might be a good thing, but I have no information or experience with which to make a trust assessment. And I can't help but be struck by how similar it feels to the old "someone you know has shared an opinion about you, sign up to find out more" websites/spam. -- Shane Williams Senior System Administrator Dept. of Computer Science, University of Texas at Austin shanew () cs utexas edu<mailto:shanew () cs utexas edu> - 512-471-0026
Current thread:
- Open Bug Bounty? Shane E Williams (Jun 27)
- Re: Open Bug Bounty? Jimenez, Julio (Jun 27)
- Re: Open Bug Bounty? Jim Cheetham (Jun 27)
- Re: Open Bug Bounty? Jimenez, Julio (Jun 27)