|
|
|
|
|
|
by jollofricepeas
681 days ago
|
|
|
You almost have to pull the site to stroke bounty hunter egos when you could just push a change to prod instead. If not, they are quick to bash you publicly. There’s too much hubris in the “professional” web app bug hunter community. Generally, their attitude is very “look at these stupid developers,” “developers suck at security,” or “a conspiracy is happening because company X didn’t take their app down within 10 minutes of getting my email.” It’s much more nuanced than that. I’d like to see: 1) more bounties and better paid bounties 2) less ego and much more professionalism and patience from “researchers” Both would be better for consumers. |
|
|
I wonder if there's an attack vector hiding where you induce a malicious bug via an illegitimate bounty and the developers' bias against inaction.