[sn4pp]

> but disclosing bugs publically is an addition to your resume

Request disclosure on hackerone then. Idk, breaking the law to get a job doesn't seem ok to me.

[thaumasiotes]

The screenshot in #2 does show the H1 Staff screwing up -- @cybernews requests disclosure and gets a response saying "you may request disclosure if you would like this reviewed, using the drop down menu" (which @cybernews has already done).

@cybernews' behavior in that thread isn't ideal, but they're more in the right than in the wrong on that one, judging by the screenshot.

[sn4pp]

I'm not talking about this case specifically.

At least Paypal was notified before the public disclosure!

[CiPHPerCoder]

Full disclosure isn't a crime in the United States, at least.

[sn4pp]

Hacking PayPal is a crime tho'.

Except for when you play their game, which means: submit bugs via h1 and only disclose if they allow.

[ohithereyou]

Legitimately interested in your explanation as to how this specific research would be a crime absent contact with HackerOne. Please cite statute. I'm not saying you're wrong - simply asking you to back up your claim with evidence.

[sn4pp]

I'm sorry, won't do that, don't know why. I'm pretty sure there something like computer abuse act. If you don't follow their rules, how would it be legal to hack on their servers?