[raesene9]

Good to see a response on this from someone at Slack. However I'm now somewhat confused.

If you accept that Anshuman should have been updated on the 2nd bug and it was only after multiple unanswered requests that he blogged about it (a completely reasonable reaction I'd say), why did you then (I'm guessing you're the same Rhuber as the one commenting on the 3rd bug) say that he had gone against the spirit of the site and had him removed from your bug bounty programme?

[rhuber]

There are a few reasons for my comment about going against the spirit:

1) https://hackerone.com/disclosure-guidelines states:

"If 180 days have elapsed with the Response Team being unable or unwilling to provide a disclosure timeline, the contents of the Bug Report may be publicly disclosed by the Researcher. We believe transparency is in the public's best interest in these extreme cases."

2) He set an arbitrary 90 day disclosure checkpoint.

3) We explicitly asked for more time in dealing with the bug.

4) We had an extremely negative experience with him during his first report. He was unnecessarily adversarial when we patiently explained that he had not found a vulnerability.

---------

Within the HackerOne interface, a "Duplicate" is actually listed as a Closed:Duplicate issue, and doesn't appear in the Open issues tab at all. Perhaps a method of attaching duplicates to the original and allowing communication between all involved is useful? ¯\_(ツ)_/¯

[anshuman_bh]

Regarding point 4 above, the entire conversation can be found here - https://docs.google.com/document/d/1q-aKtxS6xNIhal0As743tBE1...

So, I report a bug that I think is a security vulnerability. You fail to even understand the report in the first place. You don't even try to watch the video PoC demonstrating it in action. In a nutshell, you handle it completely wrong in the first place.

Then, you come back and tell me it's not a security vulnerability because it's a hidden Feature or whatever the reason you have.

At this point, there is not much I can do but to present my justification as to why I think you are wrong. I present my opinion which I'm entitled to just like you are. And, I let you know that I will blog about it.

Do you really think I was being "unnecessarily adversarial" there? I rest my case.

With regards to the second issue being duplicate, I believe you guys must have already fixed it by now? If So, do you mind disclosing the original reported bug to bring some more light to the questions being asked whether it was really a duplicate or not. I understand you don't have to do that but it's just a suggestion. Feel free to ignore.

[raesene9]

Good point about the Hacker One disclosure timeline, sounds like the reporter should have waited for that to elapse prior to disclosure.

Not sure I'd say 90 days is entirely arbitrary as some of the big boys (i.e. Google Zero) seem to have come to a conclusion that that's the appropriate delay between disclosure and fix (whether that's always reasonable is another matter).

I'd guess that the more time thing he may have felt didn't apply as he wasn't getting any more communications about the bug status...

And sounds like a good feature request for Hacker One on dupes, this won't, I'm sure, be the only instance where this kind of mis-communication happens!

[anshuman_bh]

considering the fact that they were unresponsive and dismissive and some feedback about slacks bug bounty program from other fellow researchers, I really didn't think 180 days was worth the wait so yeah I chose my own. I am at the liberty to do that just like how slack has the liberty to ban me from their program. So yeah your guess is good!

And it's not only me who has had such a terrible experience with their program. I know atleast 3 different researchers who have reached out to me to tell me that they have gone through the same experience. They prefer not to speak out. I did. Period.