oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: How to deal with reporters who don't want their bugs fixed?

From: Tristan Henning <tristan () customcrypto com>
Date: Mon, 22 Jan 2018 19:42:23 -0800
I don't know if you've all seen this, but, this is definitely how not to run a bug bounty. 

http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

And the /r/netsec discussion from reddit

https://www.reddit.com/r/netsec/comments/7dc275/bug_bounty_hunter_walks_away_on_30k_bounty_from/

TL;DR
A researcher found major infrastructure issues and after clarification of scope managed to compromise a very large part of DJI along with large amounts of PII. DJI sicked legal on him and he was forced to walk from a $30,000 bug bounty.
This document and story received a large amount of traction in the "hacking" community. How many bug hunters will be reporting issues to DJI in the future? My guess, not a lot... 

-Tristan

On 1/22/2018 11:41 AM, Ian Zimmerman wrote:

On 2018-01-22 17:20, Mikhail Utin wrote:


Keeping it individual without public announced maximum embargo time
would also help prevent folks from jumping to 0daying everything per
default:)

However, to me it is pure "Security by Obscurity" in a bit different
wording. It never worked. Simply think that somebody else knows the
secret and with your help continues using that.

I think you misunderstand the parent post.

Nobody is proposing that the embargo period for any _particular_ issue
be secret.  The proposal in the parent post was to not have a public
general embargo policy for _all_ issues present & future.
Previous By Date Next
Previous By Thread Next

Current thread: