|
|
|
|
|
|
by laurent92
2115 days ago
|
|
|
When running a security bounty, what makes me afraid is the compounding factor of finding the same kind of issue several times in different places, thereby multiplying the cost by 20. Of course $1750 is cheap, but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about. By the way, the security bounty should be mandatory to display to customers. It’s like saying “We don’t value the sum of all your data of all customers to more than $1750”. |
|
|
A better solution would be to only allow a bug to be reported once per quarter, or once per version of the software. If someone finds a bug in v1.0 that's fixed in v1.1, then someone (even the same person) should be able to report the same bug in a different place in v1.1. That's an incentive for companies to use the report to secure the whole app rather than just fixing the reported issue.