Someone's obviously champing at the bit to write the comment about t-shirts versus bug bounties. Before they write that, they should consider that a company that doesn't already have a bounty can't simply create one on the spot; those programs need to be reviewed by counsel.
I think it's inevitable that most tech companies are going to end up offering formal bounty programs, but you should remember that only a select few do today.
Even if they did, would they actually award the bounty even though the bug was directly taken to a blog post, and not reported to them first?
I may be mistaken, but I was under the impression that there generally was a tacit agreement that you only get the bounty if you don't go public with it before it's fixed.
You're right - I don't think you qualify for a bounty if you write a blog post and then the team contacts you. Usually there are strict requirements including a responsible disclosure to the company directly.
This is why I was so impressed. The contacted me after I published the post, and yet they still sent me a token of their appreciation. That to me showed a ton of class.
please don't parrot nonsense like "responsible" disclosure; it mangles language to normalize behavior these companies want (what's the opposite of responsible? Not letting companies sit around and procrastinate while users are or may be being exploited is therefore irresponsible.)
I'm not necessarily saying people shouldn't disclose first, but labeling it as responsible is grating.
Most bug bounties encourage responsible disclosure, which was not done in the original blogpost.
With that said, it's kind of a grey area. Some may reward you but others may not. Google for example asks for responsible disclosure. They will most likely be reluctant to give you a reward if you didn't play by the rules and undermine the entire purpose of the vulnerability reward program anyways.
The program's aren't meant to show off how smart the engineers are who work there. The programs are meant to prevent legitimate attacks. No news is good news in the security world...and you don't know that you made the news until too late.
I should add, when reporting the bug, I know google asks if the bug is made public and they also ask for a URL to where it is available. So maybe the area is more grey than I think. Nobody will know until someone reports a public bug, I guess.
> Most bug bounties encourage responsible disclosure, which was not done in the original blogpost.
The original blog post basically summed up and condensed that everybody who knows about HTML could have seen. I didn't even blink in surprise when I saw it. It was well executed and written and as such a worthy contribution but the attack vector was rather obvious. Pretty much my first thought when I saw what LinkedIn is doing was "There's certainly a way to abuse this and inject false info.". AFAIR similar feelings were voiced in the HN thread about the original submission.
I'm all for responsible disclosure, but in this case I don't think it was warranted.
Several others might agree with you, but the fact remains LinkedIn security missed (or ignored) a legitimate issue and released the new feature. Surely that should define whether a reward is justified
I think it's inevitable that most tech companies are going to end up offering formal bounty programs, but you should remember that only a select few do today.