Page 1 of 1
"disclosed by researcher"
Posted: Thu Nov 02, 2017 7:42 pm
by secuninja
dear team,
as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?
Re: "disclosed by researcher"
Posted: Fri Nov 03, 2017 6:03 am
by x1admin
secuninja wrote: ↑Thu Nov 02, 2017 7:42 pm
dear team,
as the disclosure policy changed few weeks ago and researcher cannot disclose on their own anymore the sentence "Vulnerability details disclosed by researcher" doesn't make sense any more? maybe "Disclosed according to OBB policies" or so would be more... you know adequate?
It’s a good point, however it’s still the researcher, and only the researcher, who can decide when to disclose. We just set a minimum to protect website owners, but everything else is in the researcher’s hands.
Any suggestions are welcome.
Re: "disclosed by researcher"
Posted: Mon Nov 13, 2017 6:43 pm
by DrStache_
Hi,
Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)
Re: "disclosed by researcher"
Posted: Tue Nov 14, 2017 7:03 am
by x1admin
DrStache_ wrote: ↑Mon Nov 13, 2017 6:43 pm
Hi,
Even if the report is patched, that's not possible to disclose it before the minimum time.
eg : /reports/360847 and /reports/363614/ (around 20 days, after the report date)
Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days.
Re: "disclosed by researcher"
Posted: Tue Nov 14, 2017 6:58 pm
by DrStache_
Thank you for the precision !