undefined | Better HN

0 pointsgwd2y ago0 comments

> 1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.

I have a hard time sympathizing with this. Our project gets a handful of these "beg bounty" things a year; usually they're repeats -- SPF and "clickjacking" are common ones, but we also get other ones. ("You're exposing people's usernames through this weird JSON thing!" "Yes, we're also exposing people's usernames in the 'by' line of the post itself. There's nothing in that JSON that's not also available by just doing plain web scraping."). If we see a new complaint we always look at it to see if it's something we actually care about.

If you're working with pictures and audio of kids, or have details of people's activities that they may not want made public (like their taste in "Adult Fanfic"), there's absolutely no excuse for not looking at each report, even if 95% of them are low-value.

EDIT: I mean of course the "Report and then ask for a bounty" kinds, not the "Give me the bounty and I'll tell you the bug" kinds.

0 comments

2 comments · 1 top-level

davidgerard2y ago· 1 in thread

at $DAYJOB we get multiple beg bounties a week, it's a massive waste of everyone's time and it's literally never been a real issue.

whstl2y ago

At my previous job it was about 10 per days after we started having an official process. I gather that people would just Google us.

It was very easy to filter the bad reports, though. About 10 minutes of work per day, since most were repeated issues. We had a default "reply" email with information.

The issue however was those people would get extremely angry when their security issue was deemed invalid, so we started just blocking recipients that would threat us or demand payment for invalid issues. Some would stalk me and other developers in LinkedIn and would demand immediate payment. Of course that only happened about 4 times.

Another issue was caused when some invalid issues would get SO MANY REPORTS from automated scanners, that we would actually decide to change to prevent the reports. In some of those we actually paid and credited the first person, but then the other 30 would demand payment too and accuse us of lying.

Huge shitshow.

j / k navigate · click thread line to collapse