| > So what do you think is going on in this piece (5 years old), where Alex Stamos characterizes the issue as "trivial and of little value"? I sadly wasn't there at the time, and Stamos post doesn't refer to it at all. So I can't comment on this. I guess the truth on this is just known to the researcher, their boss, and Stamos. > But what I'm describing above are ways for the company to screw the researcher without really being motivated by stinginess. Fairness is not a concern. That's a fair point, and I can see how representation can cause a significantly different payout decision, especially if there is no technical payout panel with a security background. Phrasing something as "Reflected XSS" vs. "Account Take-Over via XSS" sounds undoubtedly different. But it is impact-wise probably the same. The problem is mitigated at Facebook by having engineers in the payout panel that understand the tech stack and security implications. But I think many companies don't have that luxury, and you undoubtedly may end up with inconsistencies. Thanks for sharing your perspective. Much appreciated! |