|
|
|
|
|
|
by rhuber
4101 days ago
|
|
|
There are a few reasons for my comment about going against the spirit: 1) https://hackerone.com/disclosure-guidelines states: "If 180 days have elapsed with the Response Team being unable or unwilling to provide a disclosure timeline, the contents of the Bug Report may be publicly disclosed by the Researcher. We believe transparency is in the public's best interest in these extreme cases." 2) He set an arbitrary 90 day disclosure checkpoint. 3) We explicitly asked for more time in dealing with the bug. 4) We had an extremely negative experience with him during his first report. He was unnecessarily adversarial when we patiently explained that he had not found a vulnerability. --------- Within the HackerOne interface, a "Duplicate" is actually listed as a Closed:Duplicate issue, and doesn't appear in the Open issues tab at all. Perhaps a method of attaching duplicates to the original and allowing communication between all involved is useful? ¯\_(ツ)_/¯ |
|
|
So, I report a bug that I think is a security vulnerability. You fail to even understand the report in the first place. You don't even try to watch the video PoC demonstrating it in action. In a nutshell, you handle it completely wrong in the first place.
Then, you come back and tell me it's not a security vulnerability because it's a hidden Feature or whatever the reason you have.
At this point, there is not much I can do but to present my justification as to why I think you are wrong. I present my opinion which I'm entitled to just like you are. And, I let you know that I will blog about it.
Do you really think I was being "unnecessarily adversarial" there? I rest my case.
With regards to the second issue being duplicate, I believe you guys must have already fixed it by now? If So, do you mind disclosing the original reported bug to bring some more light to the questions being asked whether it was really a duplicate or not. I understand you don't have to do that but it's just a suggestion. Feel free to ignore.