|
|
|
|
|
|
by slimsag
2115 days ago
|
|
|
Had the researchers (unethically) published it as a zero-day vulnerability in e.g. a blog post stating "the slack payout wasn't enough for us to care" - what would've been their legal risks? I assume that would be _one_ way to get companies to care more about rewarding people who spend substantial amounts of time researching their security |
|
|
If someone doesn't like the terms of a particular bug bounty program, I would ask why they are doing research against that company to begin with. That's like someone really wanting kids dating a person that doesn't want kids and hoping they will change their mind after they see how awesome it will be. Almost without exception, if you read the comments from the individuals reporting the bugs, they will actually defend the status quo (as is the case here if you dig around). It's mostly just loud people in the vicinity of this trying to drive up the market.
Of course in my example I could try to incentivize said partner to have children by all sorts of unethical means, and there are certainly ways for researchers to try to incentivize corporations to increase bounty scope or payout by unethical means. This is generally considered 'extortion'.
Lastly I think it's also important to point out that legality has nothing to do with ethics, and I certainly believe there are cases where disclosure is warranted outside of any established paradigm of 'responsible disclosure' or bounty program.