Date: Mon, 22 Jan 2018 19:42:23 -0800 From: Tristan Henning <tristan@...tomcrypto.com> To: oss-security@...ts.openwall.com Subject: Re: Re: How to deal with reporters who don't want their bugs fixed? I don't know if you've all seen this, but, this is definitely how not to run a bug bounty. http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf And the /r/netsec discussion from reddit https://www.reddit.com/r/netsec/comments/7dc275/bug_bounty_hunter_walks_away_on_30k_bounty_from/ TL;DR A researcher found major infrastructure issues and after clarification of scope managed to compromise a very large part of DJI along with large amounts of PII. DJI sicked legal on him and he was forced to walk from a $30,000 bug bounty. This document and story received a large amount of traction in the "hacking" community. How many bug hunters will be reporting issues to DJI in the future? My guess, not a lot... -Tristan On 1/22/2018 11:41 AM, Ian Zimmerman wrote: > On 2018-01-22 17:20, Mikhail Utin wrote: > >>> Keeping it individual without public announced maximum embargo time >>> would also help prevent folks from jumping to 0daying everything per >>> default:) >> However, to me it is pure "Security by Obscurity" in a bit different >> wording. It never worked. Simply think that somebody else knows the >> secret and with your help continues using that. > I think you misunderstand the parent post. > > Nobody is proposing that the embargo period for any _particular_ issue > be secret. The proposal in the parent post was to not have a public > general embargo policy for _all_ issues present & future. >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ