Hacker News new | ask | show | jobs
by rcxdude 24 days ago
It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.
1 comments
lstodd 23 days ago
It didn't become any more vulnerable.

This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.

If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

link
Dylan16807 23 days ago
> It didn't become any more vulnerable.

That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.

> If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

Well most people wouldn't, and for good reason.

link