> Most bug bounties encourage responsible disclosure, which was not done in the original blogpost.
The original blog post basically summed up and condensed that everybody who knows about HTML could have seen. I didn't even blink in surprise when I saw it. It was well executed and written and as such a worthy contribution but the attack vector was rather obvious. Pretty much my first thought when I saw what LinkedIn is doing was "There's certainly a way to abuse this and inject false info.". AFAIR similar feelings were voiced in the HN thread about the original submission.
I'm all for responsible disclosure, but in this case I don't think it was warranted.
Several others might agree with you, but the fact remains LinkedIn security missed (or ignored) a legitimate issue and released the new feature. Surely that should define whether a reward is justified
The original blog post basically summed up and condensed that everybody who knows about HTML could have seen. I didn't even blink in surprise when I saw it. It was well executed and written and as such a worthy contribution but the attack vector was rather obvious. Pretty much my first thought when I saw what LinkedIn is doing was "There's certainly a way to abuse this and inject false info.". AFAIR similar feelings were voiced in the HN thread about the original submission.
I'm all for responsible disclosure, but in this case I don't think it was warranted.