Re: Open Bug Bounty?

["Jimenez, Julio" <jjimene2 () UNCFSU EDU>]

Shane,

If the bug bounty notice you received contains real vulnerabilities and you didn't request it, then that's not cool.  
Similar to a "cold call" from a vendor, this is like a cold-scan or a cold-pentest on your sites.  A lawsuit and/or 
criminal case waiting to happen.

The bug bounties I've participated in have very specific parameters by the company on what and how you can pentest.  
These are normally conducted via third-party sites like Bug Crowd and H4ckerOne.

Julio Jimenez
Information Security Engineer
ITTS
Fayetteville State University


Sent from Outlook<https://aka.ms/qtex0l>




On Mon, Jun 27, 2016 at 3:29 PM -0400, "Shane E Williams" <shane.williams () UTEXAS EDU<mailto:shane.williams () UTEXAS 
EDU>> wrote:

We received a notice from Open Bug Bounty (openbugbounty.org<http://openbugbounty.org>) recently, and I notice that 
many of the latest submissions listed on their pages are educational institutions.  Does anyone have experience with 
and/or opinions about this program?

In many ways, I think what they're doing might be a good thing, but I have no information or experience with which to 
make a trust assessment.  And I can't help but be struck by how similar it feels to the old "someone you know has 
shared an opinion about you, sign up to find out more" websites/spam.

--
Shane Williams
Senior System Administrator
Dept. of Computer Science, University of Texas at Austin
shanew () cs utexas edu<mailto:shanew () cs utexas edu> - 512-471-0026