|
|
|
|
|
|
by dasil003
4578 days ago
|
|
|
You're conflating two things, inappropriately in my opinion: > If you offer a bug bounty to improve security, make sure you give a reward for any possible breach that could cause you to get hacked, regardless of whose 'fault' the vulnerability is. This is true. There's no upside for rejecting this as "out of bounds" except for a relatively tiny sum of cash. > If you know of a way to increase security, then you should increase it. This I disagree with completely. If there's anything you can do with negligible cost you should do it, however there are all kinds of costs. There are usability costs, operational costs, training costs, etc, etc. You can't hand-wave these away by declaring that any breach is failure without recognizing the fact that there is no such thing as perfect security. In fact all security is gambling, and it should be a gamble based on the best odds we can come up with professionally against the cost of failure. If something requires 100% perfect security then that thing should not be done, period. |
|
|
There can be. If the attack involved something that - done broadly - would itself cause problems even without a vulnerability, then you don't want to reward people for probing those ways without arranging it first. As a sort of extreme example, imagine hundreds of security researchers getting in the way of your paying customers while trying social engineering attacks on your staff.