undefined | Better HN

0 pointsThorrez2mo ago0 comments

What if multiple people discover the same vulnerability. What do you do?

Do you pay out to all of them? Do you make them sign an NDA without guaranteeing you'll pay them? Do you tell the 2nd etc discoverers to go away and hope they don't reveal it?

If you pay out to all of them, there's a strong incentive to leak info and collect multiple bounties for the same vulnerability.

0 comments

londons_explore2mo ago

You hire a salaried security researcher and forget the idea of bounties.

j / k navigate · click thread line to collapse

0 pointsThorrez2mo ago0 comments

What if multiple people discover the same vulnerability. What do you do?

Do you pay out to all of them? Do you make them sign an NDA without guaranteeing you'll pay them? Do you tell the 2nd etc discoverers to go away and hope they don't reveal it?

If you pay out to all of them, there's a strong incentive to leak info and collect multiple bounties for the same vulnerability.

0 comments

londons_explore2mo ago

You hire a salaried security researcher and forget the idea of bounties.

j / k navigate · click thread line to collapse