1/n, We need to stamp this rot out, e.g. "Before disclosing an issue publicly we require that you first request permission from us. Atlassian will process requests for public disclosure on a per report basis." on @Bugcrowd, /cc: @AmitElazari
8
10
1
24
2/n, "any publicly-made disparaging remarks with regard to grubHub will result in disqualification from the Program" on @Hacker0x01
3
3
1
10
3/n, Security research is just science and good science requires unfiltered dialog. I think heading towards a choice between $$ _or_ transparent, unfiltered publication is dangerous.
1
5
15
4/n (n == 4 :), It'll take some courage (possible revenue drop if overly conservative companies bail) but the key bug bounty platforms, possibly in unison, need to lead and block anti-transparency or anti-science terms from VDPs.
4
5
14
Replying to @scarybeasts
When I was at @PayPalInfoSec, we made sure that our terms allowed publication of findings after the issue was fixed. We believed (and I still do) that transparency lifts the ecosystem - all companies have security issues, trying to hide them only helps the bad actors.

May 23, 2018 · 5:55 PM UTC
1