Let’s say you find a serious security/privacy flaw in an app and email the team about it. How long are you supposed to wait for confirmation of receipt/fix before you go public with it and start ringing the alarm bells?

Also, should you be eligible for a bug bounty even if they don’t have a bug bounty program?

BDFL of Quilibrium, Eng @ Farcaster, ex-Coinbase, always opinionated, never hydrated

✵ Create ✵ Share ✵ Remix ✵

Experimental 2D/3D artist and occasional collector. He/They. Nerdy++; (Nearly) all work CC-BY/CC0/FOSS

https://mxvoid.com

Unwise to go public with specifics, I think. White hat folks seem to ring alarm bells if the timeline is egregious, rarely with specific details.

From folks I know, most orgs respond within days.

Curious if @cassie could weigh in?

We never had an official bug bounty in our companies, but we always acknowledged bug/vulnerabilities reports withing 24 hours (usually sooner) and if proven an actual bug/vulnerability I would agree on a  payment for the reporting the bug. So I would say 24 hours? 