A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.
"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."
I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.
I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.
#responsibledisclosure #infosec #cybersecurity
@EndlessMason@hachyderm.io I presume they will kick me out of the BugCrowd platform. I have no problem with that really. I've already considered the platform and this bug bounty in particular a lost cause.
it sounds like you're really struggling to figure out what to do next lol
(don't forget to click the "pay out" button before doing anything hasty)
@harrysintonen@infosec.exchange
@EndlessMason@hachyderm.io No struggle really, just figuring out the details.
As to bounty: I think they're just using the BugCrowd platform to manage their vulnerability program. At no point did they promise any rewards, nor did I expect any.
I forgot the sarcasm markers, sorry about that one.
I'm not super qualified in economics, but it kinda feels like you should either pay for the pentest and own the results, or not pay and not own it.
@harrysintonen@infosec.exchange