Hacker News new | past | comments | ask | show | jobs | submit login

Stories like this are wonderful evidence of the effectiveness of public disclosure of security vulnerabilities, and are always heartwarming to see. Remember, 90-day disclosure windows are just a courtesy.



This is why I consider bug bounty programs problematic, because they've been co-opted from a system to manage responsible disclosure to a system to contain and manage non-disclosure.


Bug bounty programs can be great tools to help reward researchers, secure products and help align new and amateur researchers who may not have ever reported a bug before to standards.

But like all things, they can also be used to keep software insecure, hide issues, and instead buy off researchers.


Mmm. This post by Matthew Garrett is good on this: https://mjg59.dreamwidth.org/52432.html




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: