Why shouldn't full-disclosure'd bugs be eligible for NN% of the reward? (looking for strong arguments against it)
8
2
15
Full disclosure means 24x7 effort by the company to patch, an investigation to see if ever exploited, and it may take their revenue source offline for some duration. No company wants a hard hit like that, why would the company then turnaround and reward the person responsible?
1
1
You’d also need a “no exploit” clause to prevent someone from disclosing, then immediately exploiting it, to double-dip. Unless the company is superhumanly swift, there is a raised likelihood it will be exploited, causing no payout anyhow.
1
Replying to @bilcorry @sirdarckcat
I wonder what the strong argument is for paying anything on full disclosure? Just to get the report of a bug? With full disclosure, you get it for free, unless you believe the reporter wouldn’t disclose at all?

Jul 22, 2019 · 11:18 AM UTC

1
Replying to @bilcorry
Why would the company reward the discoverer of a vulnerability? Because it's better to know about a bug than to not know about it. It still improves the security of the product in the long term since it allows the company to search for (and fix) variants than if they wouldn't.
1
2
What if the vulnerability is exploited? This risk is why it would probably need to be NN% of the reward. In order to still encourage private disclosure, but without requiring secrecy as a precondition for a reward.
2
1
more replies