As mentioned in the subject title -- I would like to suggest an option for researchers to extend the date of public disclosure.
Currently, it is a fixed date at 3 months later. I am wondering if it is possible for researchers to opt to extend the public disclosure date. This is to allow some leeway for companies that want to fix and is currently working on a fix to truly resolve the issue before the public disclosure date.
It is especially useful when you are already in touch with the company and know that they are doing their best to resolve the issue and also contacted you to help to accommodate on the disclosure date.
Our current options are:
(1) be bad and go ahead with the public disclosure even though they can't patch in time. Note that in this case, they have made an attempt to contact you and kept you updated on their plans in advance. They were also appreciative of your help and for reporting the bug, just that they can't fix in time, they just need a little bit of extension.
(2) be nice, be understanding, sometimes they just need a week or a month more to complete their internal process or complete the internal testing and get the deployment completed. It's not like they don't care. I rather they deploy a good fix than to deploy a temp fix that leads to more issues. We are here to help.
I will always choose option (2) when given a choice like this
Of course, the extension should be totally optional. So far I have a few company that had this situation, and in order to help, I can only deleted my report from Openbugbounty. So, just saying that if there is an optional extension option then it will be pretty useful at times like this.
Suggestion on Public Disclosure Date Extension
-
- Posts:18
- Joined:Sun Sep 24, 2017 4:30 am
Re: Suggestion on Public Disclosure Date Extension
You can extend the date of disclosure on Open Bug Bounty Submissions pagekongwenbin wrote: ↑Fri Apr 20, 2018 8:17 amAs mentioned in the subject title -- I would like to suggest an option for researchers to extend the date of public disclosure.
Currently, it is a fixed date at 3 months later. I am wondering if it is possible for researchers to opt to extend the public disclosure date. This is to allow some leeway for companies that want to fix and is currently working on a fix to truly resolve the issue before the public disclosure date.
It is especially useful when you are already in touch with the company and know that they are doing their best to resolve the issue and also contacted you to help to accommodate on the disclosure date.
Our current options are:
(1) be bad and go ahead with the public disclosure even though they can't patch in time. Note that in this case, they have made an attempt to contact you and kept you updated on their plans in advance. They were also appreciative of your help and for reporting the bug, just that they can't fix in time, they just need a little bit of extension.
(2) be nice, be understanding, sometimes they just need a week or a month more to complete their internal process or complete the internal testing and get the deployment completed. It's not like they don't care. I rather they deploy a good fix than to deploy a temp fix that leads to more issues. We are here to help.
I will always choose option (2) when given a choice like this
Of course, the extension should be totally optional. So far I have a few company that had this situation, and in order to help, I can only deleted my report from Openbugbounty. So, just saying that if there is an optional extension option then it will be pretty useful at times like this.
-
- Posts:18
- Joined:Sun Sep 24, 2017 4:30 am
Re: Suggestion on Public Disclosure Date Extension
Thanks, I just found the feature. I did not realised that was an extension option until I went to click on everything I see in the pagex1admin wrote: ↑Fri Apr 20, 2018 8:44 amYou can extend the date of disclosure on Open Bug Bounty Submissions pagekongwenbin wrote: ↑Fri Apr 20, 2018 8:17 amAs mentioned in the subject title -- I would like to suggest an option for researchers to extend the date of public disclosure.
Currently, it is a fixed date at 3 months later. I am wondering if it is possible for researchers to opt to extend the public disclosure date. This is to allow some leeway for companies that want to fix and is currently working on a fix to truly resolve the issue before the public disclosure date.
It is especially useful when you are already in touch with the company and know that they are doing their best to resolve the issue and also contacted you to help to accommodate on the disclosure date.
Our current options are:
(1) be bad and go ahead with the public disclosure even though they can't patch in time. Note that in this case, they have made an attempt to contact you and kept you updated on their plans in advance. They were also appreciative of your help and for reporting the bug, just that they can't fix in time, they just need a little bit of extension.
(2) be nice, be understanding, sometimes they just need a week or a month more to complete their internal process or complete the internal testing and get the deployment completed. It's not like they don't care. I rather they deploy a good fix than to deploy a temp fix that leads to more issues. We are here to help.
I will always choose option (2) when given a choice like this
Of course, the extension should be totally optional. So far I have a few company that had this situation, and in order to help, I can only deleted my report from Openbugbounty. So, just saying that if there is an optional extension option then it will be pretty useful at times like this.
Who is online
Users browsing this forum: No registered users and 2 guests