Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Sep 2018 15:57:44 +0200
From: Solar Designer <>
Subject: Re: bounties


Moderator hat on:

I'm sorry for the delay in the moderation decision on this one message.
We overlooked it at first for its spam-like Subject, only noticing what
it actually was when follow-ups started arriving today.

I am unhappy about the cross-post (this is against the published
oss-security guidelines, but it sometimes happens anyway), even though
this is what ultimately enabled the non-spam detection in this case.

I am also unhappy about the lack of focus on Open Source (but not total
lack of relation to Open Source, which is why the message is approved)
in this message and in follow-ups we might receive via full-disclosure.

While the original message looks like something we'd need to approve
despite of the above issues (so I did), I currently have no plans to
approve any follow-ups we might receive via full-disclosure.  Currently
in the moderation queue, and not expected to be approved, are a very
brief reply by another person confirming Justin's criticism and giving a
link to the person's Medium blog post (at first look, only tangentially
related to Open Source - pertaining to proprietary products that use
Open Source components), Justin's reply to the reply (a rant and no
longer a question/request for other people's experience; also no mention
of Open Source nor any specific software nor vendor at all), and
Justin's out-of-context copying of a reply (repeatedly mentioning "rip
off") to a who-knows-what vendor about a who-knows-what product (these
things are not immediately clear from the message).  Even though not
approved here, there's a chance we'll see those messages on
full-disclosure, depending on that other list's moderators' decisions.

So quite possibly the thread on oss-security will end here, unless
someone will post something of greater relevance and/or higher quality
than what's in those follow-ups I mentioned above.

Personal hat on:

On Fri, Sep 21, 2018 at 09:12:15PM -0700, Justin Ferguson wrote:
> I was curious about peoples experiences with bug bounties particularly
> those through the prominent clearing houses for them. My experience is
> that I have been either ripped off or extremely slow-walked in payment
> that was substantially below the listed payout in every single
> instance. I'm curious how accurately that reflects other peoples
> experiences.

I have very little experience, in part because I've never been hunting
for bug bounties.  I only recall receiving a bug bounty three times so
far, from three different vendors.  In the first case, I didn't know the
vendor had a bug bounty program (which was very uncommon at the time -
1999).  In other two cases (in 2010s), I was aware of the bug bounty
programs (and in one case went via HackerOne, as a test of that
platform, which worked perfectly) but the issues I was submitting were
clearly beyond scope, yet I was paid the bounties anyway.  The amounts
were moderate, but it was very kind of those vendors to offer anything
at all.  So no complaints from me.

I do hear that others have all sorts of different experience.  There's
also criticism from many vendors about the behavior of bug reporters.
Once a vendor offers a bug bounty, they commonly receive lots of crappy
reports, accusations, etc.  Unfortunately.  (Yet by saying this I don't
mean to defend any vendor not honoring their bug bounty terms.)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.