SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
(Score: 2) by Grishnakh on Wednesday April 08 2020, @02:21PM
Again, this doesn't prove that the first person to disclose to the company and receive the bounty is the same person passing it on. It's entirely possible for independent parties to discover the same vulnerability. All the discloser has to do is make sure his write-up on the bug-sharing system isn't written the same way (perhaps find a friend to rewrite it) and doesn't have any obvious details that make it unique.