Page 1 of 1
view the vulnerability details
Posted: Sun Jan 12, 2020 5:07 pm
by metamorfosec_id
Hello Admin,
I have observed that every website owners create bug bounty programs, not long after that, vulnerabilities that I discovered related to their websites are fixed.
If website owners can view the vulnerability details without reaching the researcher first like that, then what is the meaning of sentence in every OBB alerts: "Please contact the security researcher directly for technical details of the vulnerability" ?
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 7:40 am
by x1admin
metamorfosec_id wrote: ↑Sun Jan 12, 2020 5:07 pm
Hello Admin,
I have observed that every website owners create bug bounty programs, not long after that, vulnerabilities that I discovered related to their websites are fixed.
If website owners can view the vulnerability details without reaching the researcher first like that, then what is the meaning of sentence in every OBB alerts: "Please contact the security researcher directly for technical details of the vulnerability" ?
You can uncheck Automatic Disclosure if don't want to share details to owner
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 8:20 am
by metamorfosec_id
Oh, I just know the function of "Automatic Disclosure"
Could "Automatic Disclosure" unchecked by default?
This is based on fact that many website owners do not appreciate our findings.
They just create bug bounty programs, view the details, fix them, and never contacting us.
If we submit the vulnerability and we have experience that the website owner appreciated us in the past, then we can check the "Automatic Disclosure" by ourselves.
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 8:23 am
by x1admin
metamorfosec_id wrote: ↑Mon Jan 13, 2020 8:20 am
Oh, I just know the function of "Automatic Disclosure"
Could "Automatic Disclosure" unchecked by default?
This is based on fact that many website owners do not appreciate our findings.
They just create bug bounty programs, view the details, fix them, and never contacting us.
If we submit the vulnerability and we have experience that the website owner appreciated us in the past, then we can check the "Automatic Disclosure" by ourselves.
On another side we have big count of messages from website owners where they write us what they don't got response from researcher. This is why we added this feature.
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 9:35 am
by metamorfosec_id
Very dilemmatic.
Just like CAPTCHA, maybe "Automatic Disclosure" can be set to Unchecked by default only for reputable researchers.
I am sure they always respond website owners.
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 8:58 pm
by secuninja
what about account specific settings for reputable researchers? i'd love to go over all that clicks to be made before a report is created.
Re: view the vulnerability details
Posted: Mon Jan 13, 2020 11:29 pm
by metamorfosec_id
secuninja wrote: ↑Mon Jan 13, 2020 8:58 pm
what about account specific settings for reputable researchers? i'd love to go over all that clicks to be made before a report is created.
Have "REPUTABLE" Badge (10+ Recommends).
Hope I do not forget to make "Automatic Disclosure" becomes unchecked before submitting reports.