Open Bug Bounty Community Forum

metamorfosec_id wrote: ↑

Tue Oct 02, 2018 6:06 pm

Hello OpenBugBounty Team,

Currently, I, at my discretion, sent additional notification email using Send Notification Feature yesterday (2 October) for one of my submissions because I did not receive any response since date of vulnerability reported. I got a response just a few hours from website owner and as usually, I sent the vulnerability details. Unfortunately, the website owner is angry about why long delay because there is no notification when the issue identified (5 July) and the public disclosure is today (3 october).

So my questions:

1) Does Website Owner Notification Process by the OpenBugBounty Platform work? I mean, how we as researchers know that the sent emails have received by website owner or not? The platform does not inform about this. For example, info@ and support@ sent successfully, but contact@ failed.

2) To prevent any misunderstanding, could you please write explicitly security contact that provided when submitting the issue in the "Using security contacts provided by the researcher" Section? I myself often forget about the security contact that I provided in the past once submitted the issues.

Need your clarification for #1 and your opinion for #2.

Regards.

metamorfosec_id wrote: ↑

Sun Dec 23, 2018 11:20 am

Dear Admin,

For #2:

I always provide contact person email addresses in "Comment" Area once I read your reply. By the way, I read on another post below that providing email addresses explicitly may raise a privacy issue:

viewtopic.php?f=5&t=798&sid=d51ca6ec17a ... b502f6574a

You did not mention "Internal Comment" when answering to my question, so that I am confuse between "Comment" Area and "Internal Comment".

Are my previous reports that providing email addresses may violate privacy aspect? If so, I am so sorry and please remove the contact information on my reports (edit: about 400 reports since October 2018 ).