[thisisit]

not to mention linking someone's social profile in a blog post about a company:

> So these tickets get assigned to Rob Fletcher with Uber’s security team.

Unfortunately, at least for me, this comes off as public shaming.

[thriftwy]

Are you familiar with the freelancers' concept of "fuck you, pay me"?

I guess, that's how the first part works. There are things you can try, and there are other things. Messing with freelance pen testers is clearly one of latter.

[jacquesm]

Given the nature of the game I'd say that's a mild response. On a scale of 0 to 10 that would rate a 3 or so. If there is one group I'd really avoid pissing off it would be pentesters.

[jwildeboer]

The freelancers „fuck you, pay me“ is based on very clear contracts and respectful communication, even when things go bad. This is not what’s happening here AFAICS.

[thriftwy]

"Minimum payout of $500" sounds like a very clear contract.

Once they have shadowbanned the author, IMO, any attempt at respectfulness is violated by bug bounty organizers.

Maybe there are things more rude than shadowban, but I'm not aware of such.

[jxf]

The minimum payout is subject to various conditions — for example, not being a duplicate. The author did not meet those conditions, and resorted to personal attacks instead of keeping things professional.

Uber has many, many problems as a company, but on this matter I can't say they're in the wrong.

[thriftwy]

Well, it doesn't seem like the last report was a duplicate.

The one they failed to recognize as XSS. If they paid for that one there would be no blog post and no name calling.