|
|
|
|
|
|
by Gasparila
2854 days ago
|
|
|
I had one experience reporting a security vulnerability to a bug bounty program and never want to do it again. I reported an issue to United Airlines that I could reset anybody's MileagePlus number by only guessing their Security Questions ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible. Your mileage may vary, but the headache for me is not worth the payout |
|
|
Not anymore, thanks to your report :)