|
|
|
|
|
|
by throwaway313313
1029 days ago
|
|
|
They typically do not want to disclose the full vulnerability details prior to you paying them. For the few that we have engaged in back and forth conversation, they typically were just reporting warnings from various opensource website scanners, without completely understanding what they were talking about. That's not to say somebody might discover a new unique vulnerability in the open source software and packages you might be using, except you wouldn't expect them to report it to your company, as some random user on the Internet, when the official projects are on github. Alternatively if they reported a very specific issue regarding software you developed, I'm sure it would get your 100% attention. That's not been my experience so far (knock on wood). |
|
|
> That's not to say somebody might discover a new unique vulnerability in the open source software and packages you might be using, except you wouldn't expect them to report it to your company, as some random user on the Internet, when the official projects are on github.
I've actually had this happen once or twice. AFAICT the situation was either that the reporter explains themselves so poorly (in very broken english) that the original project ignored them, or they are trying to maximize bounties by reporting to everyobe who uses the package instead of the actual maintainer.
> Alternatively if they reported a very specific issue regarding software you developed, I'm sure it would get your 100% attention. That's not been my experience so far (knock on wood).
It does happen (especially if you offer bounties or you are famous), but its like 1% of emails you get at most. Most reports are just incoherent non sense or people misunderstanding the output of an autonated scanner. But its worth it to pay attention for the 1%.