Stories
Slash Boxes
Comments

SoylentNews is people

Bug Bounty Programs Are Being Used To Buy Silence

posted by Fnord666 on Tuesday April 07 2020, @07:29AM   Printer-friendly
from the shush-your-mouth dept.

Arthur T Knackerbracket has found the following story:

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."

Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.

"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.

Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Bug Bounty Programs Are Being Used To Buy Silence | Log In/Create an Account | Top | 35 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by jmichaelhudsondotnet on Tuesday April 07 2020, @02:03PM

    by jmichaelhudsondotnet (8122) on Tuesday April 07 2020, @02:03PM (#979959) Journal

    I drove them away by pointing out there was no one here willing to say real shit, and that the major posters were clearly shills.

    Better silence than a shill farm barking at each other.

    But I noticed that too. Why care about a community and an idea when it is so easily subverted.

    It is however nice to know I wont be censored, but if anyone believes what I am saying, and I believe they do, they are right to not post here with their real names.

    It is too late for me, I can have no anonymity, I am committed to public interest work, and have been on the lists for 20 years getting f'd with, and to this very day.

    The number of positively human responses I have received in the year I have ben posting here I can count on my fingers, and they have all been anons. Fusta demonstrated he can read my private email by mentioning a very specific old movie within 24 hours of the email I sent. He also demonstrated keen interest in a story from my high school days with a girlfriend that appeared and then disappeared out of my high school class. Real actual spooky stuff.

    Being followed is not fun. Especially without money and when no one believes you.

    check my new twitter, @decultification

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2