oss-sec mailing list archives
Re: Re: How to deal with reporters who don't want their bugs fixed?
From: Tristan Henning <tristan () customcrypto com>
Date: Mon, 22 Jan 2018 19:42:23 -0800
I don't know if you've all seen this, but, this is definitely how not to run a bug bounty.
http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf And the /r/netsec discussion from reddit https://www.reddit.com/r/netsec/comments/7dc275/bug_bounty_hunter_walks_away_on_30k_bounty_from/ TL;DRA researcher found major infrastructure issues and after clarification of scope managed to compromise a very large part of DJI along with large amounts of PII. DJI sicked legal on him and he was forced to walk from a $30,000 bug bounty.
This document and story received a large amount of traction in the "hacking" community. How many bug hunters will be reporting issues to DJI in the future? My guess, not a lot...
-Tristan On 1/22/2018 11:41 AM, Ian Zimmerman wrote:
On 2018-01-22 17:20, Mikhail Utin wrote:Keeping it individual without public announced maximum embargo time would also help prevent folks from jumping to 0daying everything per default:)However, to me it is pure "Security by Obscurity" in a bit different wording. It never worked. Simply think that somebody else knows the secret and with your help continues using that.I think you misunderstand the parent post. Nobody is proposing that the embargo period for any _particular_ issue be secret. The proposal in the parent post was to not have a public general embargo policy for _all_ issues present & future.
Current thread:
- Re: How to deal with reporters who don't want their bugs fixed?, (continued)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Nicholas Luedtke (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? i (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Greg KH (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Igor Seletskiy (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Tavis Ormandy (Jan 20)
- Re: How to deal with reporters who don't want their bugs fixed? r . hering (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Mikhail Utin (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Ian Zimmerman (Jan 22)
- Re: Re: How to deal with reporters who don't want their bugs fixed? Tristan Henning (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Stiepan (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Mikhail Utin (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? halfdog (Jan 27)
- Re: How to deal with reporters who don't want their bugs fixed? Stiepan (Jan 27)