Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jan 2018 19:42:23 -0800
From: Tristan Henning <tristan@...tomcrypto.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: How to deal with reporters who don't want
 their bugs fixed?

I don't know if you've all seen this, but, this is definitely how not to 
run a bug bounty.

http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

And the /r/netsec discussion from reddit

https://www.reddit.com/r/netsec/comments/7dc275/bug_bounty_hunter_walks_away_on_30k_bounty_from/

TL;DR
A researcher found major infrastructure issues and after clarification 
of scope managed to compromise a very large part of DJI along with large 
amounts of PII. DJI sicked legal on him and he was forced to walk from a 
$30,000 bug bounty.

This document and story received a large amount of traction in the 
"hacking" community. How many bug hunters will be reporting issues to 
DJI in the future? My guess, not a lot...

-Tristan

On 1/22/2018 11:41 AM, Ian Zimmerman wrote:
> On 2018-01-22 17:20, Mikhail Utin wrote:
>
>>> Keeping it individual without public announced maximum embargo time
>>> would also help prevent folks from jumping to 0daying everything per
>>> default:)
>> However, to me it is pure "Security by Obscurity" in a bit different
>> wording. It never worked. Simply think that somebody else knows the
>> secret and with your help continues using that.
> I think you misunderstand the parent post.
>
> Nobody is proposing that the embargo period for any _particular_ issue
> be secret.  The proposal in the parent post was to not have a public
> general embargo policy for _all_ issues present & future.
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ