[_kbh_]

> Indeed, especially when Googling "Mercedes report security issue" the page litterally populates the results with the address to email so it wasn't like it's hard to find.

Reporting via a third party isn't super unusual if you think that a organisation may be a bit legal threat happy from your report.

[waihtis]

This may be true if there isn't a vulnerability disclosure program in place but there was, thus your point is completely invalid.

[hug]

No, his point remains: companies may act in bad faith, and publicly committing to act in good faith is absolutely no evidence they will not.

I don’t mean to be trite, but publishing a bug bounty program doesn’t mean you’re the good guys.

[waihtis]

> publishing a bug bounty program doesn’t mean you’re the good guys

this is meaningless rabble. Yes you can get burned in all kinds of legitimate situations [1], but 99.xx% of bug bounty interactions do not result in any kind of legal action even if you wander a bit out of scope

[1]: https://eu.desmoinesregister.com/story/news/crime-and-courts...

[beeboobaa]

> this is meaningless rabble

That is rich coming from yourself. Are you at all familiar with German law?

[bombcar]

It’s less than a 1% chance of financial ruin!m? Sign me up!

[waihtis]

I hope you also avoid using any kind of modern transportation, like cars, since there's a non-zero chance of dying in a crash

[bombcar]

I would probably avoid transportation that kills 1% of its users each trip.