Summary of responses from this post: http://carnal0wnage.attackresearch.com/2017/06/vulnerability-disclosure-free-bug.html
I wanted to document/summarize some of the responses I received and some of the insights I gained via self observation and my interactions with others on the topic.
I received a few replies (less than I hoped for though). To summarize a few:
-I’m not a greedy bastard for thinking it would “be nice” to get paid for reporting a vuln but I should not expect them.
-Bug Bounty awards are appreciation for the work not a right.
-Someone made a nice analogy to losing AWS/Slack keys to losing a cell phone or cat. Every person might value the return of that cat or phone differently.
-I’m super late to the game if I want to get on the “complain about bug bounties / compensation” train. **I think this is not quite the same situation but I appreciate the comment**
-The bigger the company, the harder it is to issue an ad-hoc reward if they don’t have an established process.
-They [the vulns] have value – just not monetary. The value is to the end-user.
-Generally speaking, I [the author of the comment] think quite a lot of the BB crowd have a self-entitled, bad attitude.
-Always ask yourself if this will hurt innocent people. If so, report it, but make sure the public knows that they f*cked it up.
I got a variety responses from it’s the right thing to do… up to if they don’t pay up, they don’t get the info. Collectively, I don’t think we are any closer to an answer.
To get a bit more personal on the subject. I think this piece from Ferris Bueller’s Day Off sums it up to an extent:
“The problem is with me”
I’ve been giving quite a bit of thought to what component of the process brings me the most excitement and enjoyment. I believe I have identified what component brings me the most enjoyment and will focus on that piece and work to manage any expectations I place on others.
I very much appreciate everyone that engaged in the conversation with me.
More things to think about for sure 🙂
This is a Security Bloggers Network syndicated blog post authored by CG. Read the original post at: Carnal0wnage & Attack Research Blog