"disclosed by researcher"

[secuninja]

dear team,

as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?

[x1admin]

dear team,

as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?

It’s a good point, however it’s still the researcher, and only the researcher, who can decide when to disclose. We just set a minimum to protect website owners, but everything else is in the researcher’s hands.

Any suggestions are welcome.

[DrStache_]

Hi,

Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)

[x1admin]

Hi,

Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)

Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days.

[DrStache_]

Thank you for the precision !