[xmodem]

Cursor does not have a bug bounty though, and its hard to see how this constitutes anything other than a direct attack on them, their users, or both. "The incentive structure made me do it" does not justify acting like a criminal.

[grajaganDev]

Cursor asks researchers to report vulnerabilities to their GitHub security page.

The same incentive to show impact applies even without a paid bounty.

[px43]

> Cursor does not have a bug bounty

Shouldn't this alone be considered criminal negligence at this point? Cursor isn't some random open source project. It's a company that has funding, and subscriptions. Hell, I pay Cursor for a monthly subscription. Pretty incredible that they have no bounty program.

[britannio]

The lack of a bug bounty program doesn't prohibit them from rewarding reported vulnerabilities.

[taskforcegemini]

do they though?