view the vulnerability details

Questions or suggestions about the platform
Post Reply
metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am
view the vulnerability details

Post by metamorfosec_id » Sun Jan 12, 2020 5:07 pm

Hello Admin,

I have observed that every website owners create bug bounty programs, not long after that, vulnerabilities that I discovered related to their websites are fixed.

If website owners can view the vulnerability details without reaching the researcher first like that, then what is the meaning of sentence in every OBB alerts: "Please contact the security researcher directly for technical details of the vulnerability" ?

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: view the vulnerability details

Post by x1admin » Mon Jan 13, 2020 7:40 am

metamorfosec_id wrote:
Sun Jan 12, 2020 5:07 pm
Hello Admin,

I have observed that every website owners create bug bounty programs, not long after that, vulnerabilities that I discovered related to their websites are fixed.

If website owners can view the vulnerability details without reaching the researcher first like that, then what is the meaning of sentence in every OBB alerts: "Please contact the security researcher directly for technical details of the vulnerability" ?
You can uncheck Automatic Disclosure if don't want to share details to owner

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: view the vulnerability details

Post by metamorfosec_id » Mon Jan 13, 2020 8:20 am

Oh, I just know the function of "Automatic Disclosure" :)

Could "Automatic Disclosure" unchecked by default?

This is based on fact that many website owners do not appreciate our findings.
They just create bug bounty programs, view the details, fix them, and never contacting us.

If we submit the vulnerability and we have experience that the website owner appreciated us in the past, then we can check the "Automatic Disclosure" by ourselves.

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: view the vulnerability details

Post by x1admin » Mon Jan 13, 2020 8:23 am

metamorfosec_id wrote:
Mon Jan 13, 2020 8:20 am
Oh, I just know the function of "Automatic Disclosure" :)

Could "Automatic Disclosure" unchecked by default?

This is based on fact that many website owners do not appreciate our findings.
They just create bug bounty programs, view the details, fix them, and never contacting us.

If we submit the vulnerability and we have experience that the website owner appreciated us in the past, then we can check the "Automatic Disclosure" by ourselves.
On another side we have big count of messages from website owners where they write us what they don't got response from researcher. This is why we added this feature.

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: view the vulnerability details

Post by metamorfosec_id » Mon Jan 13, 2020 9:35 am

Very dilemmatic.

Just like CAPTCHA, maybe "Automatic Disclosure" can be set to Unchecked by default only for reputable researchers.
I am sure they always respond website owners.

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: view the vulnerability details

Post by secuninja » Mon Jan 13, 2020 8:58 pm

what about account specific settings for reputable researchers? i'd love to go over all that clicks to be made before a report is created.

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: view the vulnerability details

Post by metamorfosec_id » Mon Jan 13, 2020 11:29 pm

secuninja wrote:
Mon Jan 13, 2020 8:58 pm
what about account specific settings for reputable researchers? i'd love to go over all that clicks to be made before a report is created.
Have "REPUTABLE" Badge (10+ Recommends).

Hope I do not forget to make "Automatic Disclosure" becomes unchecked before submitting reports.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests