Back when I owned the bug bounty program at PayPal, I was adamant that researchers should be able to post their findings after it was patched. That’s how the community can collectively learn.
This is even better, do it! 💪
For the exemplar of "doin' it right", see Dropbox, who leave the researchers in control: dropbox.tech/security/protec…; Dropbox does not use the bug bounty to buy silence; neither does Dropbox reserve the right to take forever to fix.
Dec 4, 2020 · 4:32 PM UTC
1
3