[ohithereyou]

The market for a freelance security researcher out there is hard, no doubt, but disclosing bugs publically is an addition to your resume, akin to any other professional development you do. It demonstrates you can do the work and it shows the skills you have.

Suing someone for disclosing an actual bug is a long term losing proposition for any company in a competitive industry.

[sn4pp]

> but disclosing bugs publically is an addition to your resume

Request disclosure on hackerone then. Idk, breaking the law to get a job doesn't seem ok to me.

[thaumasiotes]

The screenshot in #2 does show the H1 Staff screwing up -- @cybernews requests disclosure and gets a response saying "you may request disclosure if you would like this reviewed, using the drop down menu" (which @cybernews has already done).

@cybernews' behavior in that thread isn't ideal, but they're more in the right than in the wrong on that one, judging by the screenshot.

[sn4pp]

I'm not talking about this case specifically.

At least Paypal was notified before the public disclosure!

[CiPHPerCoder]

Full disclosure isn't a crime in the United States, at least.

[sn4pp]

Hacking PayPal is a crime tho'.

Except for when you play their game, which means: submit bugs via h1 and only disclose if they allow.

[ohithereyou]

Legitimately interested in your explanation as to how this specific research would be a crime absent contact with HackerOne. Please cite statute. I'm not saying you're wrong - simply asking you to back up your claim with evidence.

[sn4pp]

I'm sorry, won't do that, don't know why. I'm pretty sure there something like computer abuse act. If you don't follow their rules, how would it be legal to hack on their servers?