|
|
|
|
|
|
by jarrett
4574 days ago
|
|
|
Your point is good. I'd solve the problem like this: Instead of whitelisting certain kinds of attacks and parts of the company for bounty eligibility, I'd create a very limited blacklist. This blacklist would consist of actions which, despite being good-faith security research, would cause unacceptable damage to the company. For example, blacklisted actions might include: - Deleting the company's data. - Stealing from customers. - DDoSing the site. If you find a bug by taking any of the blacklisted actions, you get no bounty. This approach protects the company without unduly limiting the thoroughness of the review. |
|
|