Date: Tue, 25 Sep 2018 15:57:44 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: bounties Hi, Moderator hat on: I'm sorry for the delay in the moderation decision on this one message. We overlooked it at first for its spam-like Subject, only noticing what it actually was when follow-ups started arriving today. I am unhappy about the cross-post (this is against the published oss-security guidelines, but it sometimes happens anyway), even though this is what ultimately enabled the non-spam detection in this case. I am also unhappy about the lack of focus on Open Source (but not total lack of relation to Open Source, which is why the message is approved) in this message and in follow-ups we might receive via full-disclosure. While the original message looks like something we'd need to approve despite of the above issues (so I did), I currently have no plans to approve any follow-ups we might receive via full-disclosure. Currently in the moderation queue, and not expected to be approved, are a very brief reply by another person confirming Justin's criticism and giving a link to the person's Medium blog post (at first look, only tangentially related to Open Source - pertaining to proprietary products that use Open Source components), Justin's reply to the reply (a rant and no longer a question/request for other people's experience; also no mention of Open Source nor any specific software nor vendor at all), and Justin's out-of-context copying of a reply (repeatedly mentioning "rip off") to a who-knows-what vendor about a who-knows-what product (these things are not immediately clear from the message). Even though not approved here, there's a chance we'll see those messages on full-disclosure, depending on that other list's moderators' decisions. So quite possibly the thread on oss-security will end here, unless someone will post something of greater relevance and/or higher quality than what's in those follow-ups I mentioned above. Personal hat on: On Fri, Sep 21, 2018 at 09:12:15PM -0700, Justin Ferguson wrote: > I was curious about peoples experiences with bug bounties particularly > those through the prominent clearing houses for them. My experience is > that I have been either ripped off or extremely slow-walked in payment > that was substantially below the listed payout in every single > instance. I'm curious how accurately that reflects other peoples > experiences. I have very little experience, in part because I've never been hunting for bug bounties. I only recall receiving a bug bounty three times so far, from three different vendors. In the first case, I didn't know the vendor had a bug bounty program (which was very uncommon at the time - 1999). In other two cases (in 2010s), I was aware of the bug bounty programs (and in one case went via HackerOne, as a test of that platform, which worked perfectly) but the issues I was submitting were clearly beyond scope, yet I was paid the bounties anyway. The amounts were moderate, but it was very kind of those vendors to offer anything at all. So no complaints from me. I do hear that others have all sorts of different experience. There's also criticism from many vendors about the behavior of bug reporters. Once a vendor offers a bug bounty, they commonly receive lots of crappy reports, accusations, etc. Unfortunately. (Yet by saying this I don't mean to defend any vendor not honoring their bug bounty terms.) Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.