MxVoid pfp
Let’s say you find a serious security/privacy flaw in an app and email the team about it. How long are you supposed to wait for confirmation of receipt/fix before you go public with it and start ringing the alarm bells? Also, should you be eligible for a bug bounty even if they don’t have a bug bounty program?
2 replies
0 recast
3 reactions

Alex Palmer pfp
Alex Palmer
Unwise to go public with specifics, I think. White hat folks seem to ring alarm bells if the timeline is egregious, rarely with specific details. From folks I know, most orgs respond within days. Curious if @cassie could weigh in?
2 replies
0 recast
2 reactions

Ignas Peciura pfp
Ignas Peciura
We never had an official bug bounty in our companies, but we always acknowledged bug/vulnerabilities reports withing 24 hours (usually sooner) and if proven an actual bug/vulnerability I would agree on a payment for the reporting the bug. So I would say 24 hours?
0 reply
0 recast
1 reaction