Date: Fri, 21 Sep 2018 21:12:15 -0700 From: Justin Ferguson <justin@...c.co> To: oss-security@...ts.openwall.com Cc: fulldisclosure@...lists.org Subject: bounties Hello, I was curious about peoples experiences with bug bounties particularly those through the prominent clearing houses for them. My experience is that I have been either ripped off or extremely slow-walked in payment that was substantially below the listed payout in every single instance. I'm curious how accurately that reflects other peoples experiences. In the first series of findings, the vendor, a popular open source component simply patched the bugs and refused to close the tickets triggering payout for over a year. Attempts at resolving this through the clearing houses support produced an endless series of excuses mostly revolving around their not having any insight into their own database (which is probably true). After a year or so, the ticket was finally closed and the pay out several hundred dollars less than the enumerated payout. I refused the bounty citing these complications and insisted that the finding as a work for hire that was rejected and requested that the patch be reverted as a result, which was just ignored. In the second series, the vendor, a prominent hardware company, stated that a one line fix with no usability impact (the patch is to move the line up one line so that it is included in the mutex lock) was found and "partly fixed" over a month prior and that a full patch should be released soon. That was several months ago and looking through their reports, their public repositories, et cetera it appears to be totally and entirely something they made up as the bug still exists. This meshes with my thoughts that there even was such a thing as a partial fix for x() mutex.lock() vs mutex.lock() x();. In the third instance, the vendor, an anti-virus vendor in Europe, stated that they were not able to reproduce the issue and didn't see any issue. There were multiple things reported to them and their circumstances were different as a context switch meant I was turning in incomplete work just to attempt to get the issues patched. After months of them coming back and asking the same question repeatedly, being told the same answer repeatedly and continually ignoring very basic questions about their attempts to reproduce, they closed the matter as not reproducible. Upon further review, they could not have possibly reviewed anything as the issue is blatantly clear and obvious implying that they must not have even looked at the matter. In additional findings reported to them, they've outright ignored the matter entirely. Thus, my experience has thus far been that bounties, particularly those through the clearing houses are basically enabling a 1990s pre-full-disclosure series of processes under the pretense of the opposite, but in practice mostly just ripping works for hire off. This clearly isn't the case across the board, but its been true in every instance of my participation. -me
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.