Eduardo Vela · Jul 22, 2019 · 5:45 AM UTC

Eduardo Vela

Eduardo Vela @sirdarckcat

22 Jul 2019

Why shouldn't full-disclosure'd bugs be eligible for NN% of the reward? (looking for strong arguments against it)

Bil Corry · Jul 22, 2019 · 11:06 AM UTC

Bil Corry @bilcorry

22 Jul 2019

Full disclosure means 24x7 effort by the company to patch, an investigation to see if ever exploited, and it may take their revenue source offline for some duration. No company wants a hard hit like that, why would the company then turnaround and reward the person responsible?

Bil Corry · Jul 22, 2019 · 11:15 AM UTC

Bil Corry · Jul 22, 2019 · 11:15 AM UTC

Bil Corry @bilcorry

22 Jul 2019

Replying to @bilcorry @sirdarckcat

You’d also need a “no exploit” clause to prevent someone from disclosing, then immediately exploiting it, to double-dip. Unless the company is superhumanly swift, there is a raised likelihood it will be exploited, causing no payout anyhow.

Jul 22, 2019 · 11:15 AM UTC

Bil Corry · Jul 22, 2019 · 11:18 AM UTC

Bil Corry @bilcorry

22 Jul 2019

Replying to @bilcorry @sirdarckcat

I wonder what the strong argument is for paying anything on full disclosure? Just to get the report of a bug? With full disclosure, you get it for free, unless you believe the reporter wouldn’t disclose at all?

Eduardo Vela · Jul 22, 2019 · 11:47 AM UTC

Eduardo Vela @sirdarckcat

22 Jul 2019

Why would the company reward the discoverer of a vulnerability? Because it's better to know about a bug than to not know about it. It still improves the security of the product in the long term since it allows the company to search for (and fix) variants than if they wouldn't.

more replies