Someone's obviously champing at the bit to write the comment about t-shirts versus bug bounties. Before they write that, they should consider that a company that doesn't already have a bounty can't simply create one on the spot; those programs need to be reviewed by counsel.
I think it's inevitable that most tech companies are going to end up offering formal bounty programs, but you should remember that only a select few do today.
Even if they did, would they actually award the bounty even though the bug was directly taken to a blog post, and not reported to them first?
I may be mistaken, but I was under the impression that there generally was a tacit agreement that you only get the bounty if you don't go public with it before it's fixed.
You're right - I don't think you qualify for a bounty if you write a blog post and then the team contacts you. Usually there are strict requirements including a responsible disclosure to the company directly.
This is why I was so impressed. The contacted me after I published the post, and yet they still sent me a token of their appreciation. That to me showed a ton of class.
please don't parrot nonsense like "responsible" disclosure; it mangles language to normalize behavior these companies want (what's the opposite of responsible? Not letting companies sit around and procrastinate while users are or may be being exploited is therefore irresponsible.)
I'm not necessarily saying people shouldn't disclose first, but labeling it as responsible is grating.
Most bug bounties encourage responsible disclosure, which was not done in the original blogpost.
With that said, it's kind of a grey area. Some may reward you but others may not. Google for example asks for responsible disclosure. They will most likely be reluctant to give you a reward if you didn't play by the rules and undermine the entire purpose of the vulnerability reward program anyways.
The program's aren't meant to show off how smart the engineers are who work there. The programs are meant to prevent legitimate attacks. No news is good news in the security world...and you don't know that you made the news until too late.
I should add, when reporting the bug, I know google asks if the bug is made public and they also ask for a URL to where it is available. So maybe the area is more grey than I think. Nobody will know until someone reports a public bug, I guess.
> Most bug bounties encourage responsible disclosure, which was not done in the original blogpost.
The original blog post basically summed up and condensed that everybody who knows about HTML could have seen. I didn't even blink in surprise when I saw it. It was well executed and written and as such a worthy contribution but the attack vector was rather obvious. Pretty much my first thought when I saw what LinkedIn is doing was "There's certainly a way to abuse this and inject false info.". AFAIR similar feelings were voiced in the HN thread about the original submission.
I'm all for responsible disclosure, but in this case I don't think it was warranted.
Several others might agree with you, but the fact remains LinkedIn security missed (or ignored) a legitimate issue and released the new feature. Surely that should define whether a reward is justified
But it is the kind of company that set up this massive MITM hole in the first place, and thought it was a good idea to "offer" this "feature" to unsuspecting targets, er, "users".
They may have fixed this "bug", but the bug that is the feature itself remains, and it can only be fixed in one way...
Seems like they handled this very well. Maybe more security teams are being especially cautious after the Yahoo security reporting fiasco. While I still don't agree with the basic concept behind Intro, I think they handled this appropriately.
I would prefer an actual check or some sort of evaluation of the time he spent on the phone/email trying to explain the fix to linked in. Sending him a bunch of advertising materials with logos all over them is kind of disrespectful I think.
The guy could certainly have just ignored the phone call, just because the company contacts you does not mean you need to help them (even if they are being nice).
While I think that a bug bounty is the RIGHT thing to do in this scenario, the security guy likely couldn't just decide on his own to give out thousands of dollars, so something is better than nothing, and if the expectation was nothing, then well, sounds decent to me.
I think that is literally true; that is, I think that a security person at a large company would be in serious trouble if they paid someone for reporting a security vulnerability out of their own pockets. There are legal implications to opening up a bug bounty.
It's like the Mitch Hedberg bit: "Whenever I walk, people try to hand me out flyers. And when someone tries to hand me out a flyer, it’s kinda like they’re saying, 'Here—you throw this away.'"
Apps can't elect to be started up when the phone boots, nor can they count on avoiding being killed if the user is running a graphically intense game or something.
Except VoIP apps, since we want all apps with that capability to start on boot even if we only use them once a month, and we don't want any others to start on boot even if we use them daily. iOS regulations are so stupid.
I've never really liked Linkedin's product that much, but they addressed this issue in a very mature way - instead of rebuking it in a press release or arguing with him, they fixed the issue and thanked him. I'm impressed.
I don't want to be cynical but when I read small token of appreciation, I thought it would be something more than just branded stuff from the company. You could argue that all they could send was LinkedIn marketing material but it just rubs me the wrong way when companies put out their branded trinkets as "gifts".
Please just give me the money. I'll decide which companies I will do free advertising for.
Meh, that's why it's a token of appreciation. If I were the guy, I'd be more offended by money than by some marketing trinket; sending me money implies they thought my involvement was worth that amount of money, and it's unlikely they would send enough to correspond to a reasonable hourly rate. Sending a trinket with no monetary value makes no such implication; it's purely a social gesture, not an economic one.
On the other hand, if some company wants to thank me for something in the future with something more than tradeshow swag, I would not turn down a nice bottle of whisk[e]y, just sayin'.
I missed the original "Phishing with Intro" post. After reading it now, and the update, from the description it sounds like all they did was randomize the ids to make it hard to target the LinkedIn content with CSS. But surely it's still possible, no? The content is injected at the head of the body, so just target it using sibling selectors. You can't override any !important style this way (as the ID selector takes precedence), but maybe you could find a non-!important-specified style that can still be used to affect it. Heck, maybe just set a -webkit-transform that collapses the height to 0.
They should have paid the guy - not send cheap trinkets. And also no chump change as well. He went out of his way to even help them roll-out the hot fix.
Don't be a 'cheap kind of company' linkedin. Pay up.
I think it's inevitable that most tech companies are going to end up offering formal bounty programs, but you should remember that only a select few do today.