dear team,
as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?
"disclosed by researcher"
Re: "disclosed by researcher"
It’s a good point, however it’s still the researcher, and only the researcher, who can decide when to disclose. We just set a minimum to protect website owners, but everything else is in the researcher’s hands.secuninja wrote: ↑Thu Nov 02, 2017 7:42 pmdear team,
as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?
Any suggestions are welcome.
Re: "disclosed by researcher"
Hi,
Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)
Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)
Re: "disclosed by researcher"
Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days.
Re: "disclosed by researcher"
Thank you for the precision !
Who is online
Users browsing this forum: No registered users and 2 guests