| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALx_OUBfM+4w6CL--TArkFHkW=1mWRYmhxtebCgfaDJ-9HqnTQ@mail.gmail.com> Date: Thu, 3 Oct 2013 21:36:23 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: coderman <coderman@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Serious Yahoo bug discovered. Researchers rewarded with $12.50 If you are sending in an unsolicited vulnerability report, I think it's fair to expect the vendor to fix the issue promptly and play nice. Beyond that, you are willfully making a gamble with your own time. Nobody is forcing you to do that. If you are lucky, perhaps the vendor will be impressed with your work and perhaps will contract you in the future. Or, perhaps they will give you a hefty reward. Another perfectly acceptable outcome is that they will just thank you and maybe send you a t-shirt. A coupon to a corporate store seems a bit impersonal, but you know, gift horse, mouth... In the end, vulnerability reward programs have their pros and cons, compared to building in-house talent, commissioning traditional third-party security assessments, and so on; companies that favor one approach over the other aren't necessarily incompetent or evil. And you know, I'm saying this as a guy who recently bumped our own rewards for XSS to as much as $7.5k... /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists