Responsible Disclosure?
Posted: Mon Jul 27, 2020 1:06 pm
So we had a user submit a vulnerability on one of the sites I manage.
This was on the 3rd day of our bounty program being in operation, so we recieved quite a few reports (of the same general thing) from a number of security researchers.
One in particular, is accusing us of fixing "his" bug without giving credit (Bug was fixed as a result of the other notifications), and has subsequently posted a malicious review of the site in question on trustpilot, which is going to have a clear detrimental impact on the business who's website was affected, until such time as the researcher removes it. (assuming they do).
Is this considered acceptable and responsible behaviour for someone who uses this site?
Is it ok to effectively demand payment from someone in order to not post malicious reviews?
This was on the 3rd day of our bounty program being in operation, so we recieved quite a few reports (of the same general thing) from a number of security researchers.
One in particular, is accusing us of fixing "his" bug without giving credit (Bug was fixed as a result of the other notifications), and has subsequently posted a malicious review of the site in question on trustpilot, which is going to have a clear detrimental impact on the business who's website was affected, until such time as the researcher removes it. (assuming they do).
Is this considered acceptable and responsible behaviour for someone who uses this site?
Is it ok to effectively demand payment from someone in order to not post malicious reviews?