[jorge_leria]

Hi! I'm the person in charge of managing the bug bounty program, and I'd like to shed light on what happened from our end. I already apologized and explained this to @0xcrypto internally, but I believe that I should say something here to clarify what happened.

The truth here is that we were never able to fully reproduce the issue from the beginning, but struggled to close it because of the fear of missing something. Shortly after when we got back to the reporter for the last time, saying that we'll find a resolution, is when we were convinced that we were not able to reproduce it. Around that time we received a similar OAuth-related report. Unfortunately, this led to an internal mix-up, making us believe that we had addressed and communicated the resolution.

Because of the way I have notifications set up, I missed the follow-ups, and the issue stayed in Triage state indefinitely without receiving updates. This is by no means an excuse about the lack of updates, about which I'm deeply sorry. I've been a bug bounty hunter for many years and understand how frustrating it is to wait for updates from companies.

Finally, I'd like to reassure y'all that the security of our customers is of the utmost importance to us, and everything we say in our security page is true.

[0xcrypto]

Well mistakes happen. One thing that is still not explained is that I contacted Hackerone many times in the timespan of 3 years but they couldn't get in contact with you either.

Also, it is still unclear how you wanna continue with the report since it is no longer reproducible. I would have discussed it further on Hackerone but apparently I have been ghosted again after the apologize message.

[jorge_leria]

Hey 0xcrypto, I'm very sorry if I gave the impression that we weren't open to discussing anything further on the original issue. After my message, we only received a short comment from you. The issue actually will be still open for a short while just in case you want to discuss further details. Let's continue the conversation there.

[foota]

It's unclear to me (not that I necessarily need to know), but do you believe in the end that the vulnerability as described there worked, and if so, do you know why you failed to reproduce it?

[jorge_leria]

The fact that we kept it in triage means that we believed there was something. Also the reporter gave a really good explanation.

By the time the report was originally sent the feature was just released, and while we never deployed a code change to directly address it, it wouldn't be the first time that we receive something that I believe it was genuinely a security issue and stopped being reproducible due to an seemingly unrelated change around the same time.

[jabiko]

I'm wondering how your two quotes "security of our customers is of the utmost importance to us" and "we believed there was something" fit together given that the issue stayed open for three years?

So for three years you believed there was something, yet you didn't invest sufficient resources to reproduce and/or understand the issue, while at the same time, all these three years security was of utmost importance?

[jorge_leria]

Hey, I got into more details in my internal discussion with the researcher and previous post, but around the time we determined we couldn't replicate it, we got a similar report leading me to believe this was already closed. I didn't believe there was something the whole time. It was a mix-up on my side, and I'm sorry about it.

[foota]

I think I understand, I've also fallen victim to losing track of things, so I understand. If you haven't, maybe having a policy of trying to have zero security issues in the backlog would help here? That way things can't get lost, and if they're closed then at least the other party can see their issue has been closed and act accordingly (maybe try and escalate or something if they still think it's a real issue).

[MichaelZuo]

Wouldn't the wrong party, after getting an erroneous closure email, have immediately followed up, multiple times probably if the first one was ignored?

It's still unclear what prevented the follow up communications from making its way to you.

[polack]

It's a really simple vulnerability though. It comes of like you're not really on top of things when you cant reproduce or close it.

[pgraf]

Great to hear from you firsthand! While the issue was not reproducable for you, wouldn‘t it have been easy to have a look in the source code if the open-redirect was at all possible?

[h_tbob]

Honestly, just makes me happy your posting that you at least take it seriously. Nobody's perfect, but in my opinion things get out of hand when people don't take responsibility when mistakes happen. Good work, I know it's not your fault, need more people like you out here fixing.

[andix]

Great to hear, I love using Harvest. But could you please finally fix the (not so) new mobile app (iOS)? There are so many tiny issues that I stopped reporting them to your support.

The app state constantly gets out of sync with server state (some changes on the server only show up after a force reload, some changes on the client just revert after pressing save)

And the time tracking UX is so annoying (buttons that are only visible if you scroll down, start/stop/restart/delete buttons are constantly at different locations, depending on the state of the item).

The old app was not pretty, but it worked without issues.

[tourist2d]

He manages the big bounty program. Why would you think he would be interested in your personal UX issues with the app?

[andix]

I think you have a wrong impression of the size of the company. According to their website they have 26 engineers in total.

And I would doubt that those are my "personal" UX issues.

[jorge_leria]

Thank you for your feedback. While my main focus is on Data and Security, I'll ensure that your issues are heard by the team responsible for our mobile app. I'm aware that we're constantly working on improving the iOS app experience.

[metadat]

I suspect a lot of folks are under the faulty assumption bug bounty guy works for Microsoft.

Apparently Harvest is it's own company, not owned or operated by MS.

[weird-eye-issue]

Exactly. 26 engineers alone. That is way past the size where they are not even close to being part of the iOS team