How does being rude with personal attacks help your case at all? (On a purely emotional level, it even makes me want to side with Uber for this)
> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ (https://hackerone.com/reports/293359#activity-2203160)
Are you familiar with the freelancers' concept of "fuck you, pay me"?
I guess, that's how the first part works. There are things you can try, and there are other things. Messing with freelance pen testers is clearly one of latter.
Given the nature of the game I'd say that's a mild response. On a scale of 0 to 10 that would rate a 3 or so. If there is one group I'd really avoid pissing off it would be pentesters.
The freelancers „fuck you, pay me“ is based on very clear contracts and respectful communication, even when things go bad. This is not what’s happening here AFAICS.
The minimum payout is subject to various conditions — for example, not being a duplicate. The author did not meet those conditions, and resorted to personal attacks instead of keeping things professional.
Uber has many, many problems as a company, but on this matter I can't say they're in the wrong.
Clearly doesn't help his case, but it's not really material to whether they should pay out or not. Why didn't they disclose the one that most everyone here agrees was an obviously-qualified-for-payout vulnerability?
This seems unnecessarily callous. The writer was incredibly insulting to a person in a public forum, but that's ok because "well they worked for Uber"?
I don't see this discussion as about whether a corporate PR team is allowed to issue a response. It's about the author childishly lashing out at an individual because he didn't agree with their decision.
Irrelevant. If he found these bugs, even if he’s been a dick about it then he still found a bunch of vulnerabilities that Uber was exposed to. Pay the man, it’s a few thousand dollars as opposed to a major exploit!
But that's my point. Of course he deserved a payout if he reported a previously unknown vulnerability. What I'm saying is that he (appears to have) behaved in such toxic way (sow) that someone denied something he deserved (reap). All parties in this are squishy humans with emotions.
No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.
> So these tickets get assigned to Rob Fletcher with Uber’s security team.
Unfortunately, at least for me, this comes off as public shaming.