Comment by dunkelheit
7 years ago
> > Put a Signal number on your security page to receive bug bounty reports, not a PGP key.
Does anyone actually do this? Even Signal developers themselves don't! (see https://support.signal.org/hc/en-us/articles/360007320791-Ho...). Instead there is a plain old email address where you are supposed to send your Signal number so that you can chat.
We manage bug bounties for a bunch of different startups, and I can count on zero fingers the number of times I've had to use PGP in the past year for that. In practice, people just send bugs with plain 'ol email.
I used to get about 1 or 2 PGP-encrypted emails with security bug reports per year when I managed this for my employer. There's a dedicated team that receives security reports now, with email feeding into an automated ticketing system with automatic acknowledgements, reminders, spam filters, PagerDuty alerts, etc. There's a huge amount of tooling and workflow built around email, with a lot of integrations into all kinds of enterprise software. Often the only sane way to trigger all this stuff is to send an email.
So I think the result of removing PGP will be even more plain 'ol email than anything else.
It sounds like you’re saying “and that’s why GPG is good”, but I read that as an argument why there’s a very high probability that one of those things is going to spill the beans, plaintext, in an email anyway.
1 reply →
So even Latacora-advised startups use plain old email for bug bounties. Why then does the blog post recommend using Signal for that?
Because Signal would be better than the PGP theater. In practice, though, it doesn't matter; people are just going to use plain old email no matter what. They're not going to encrypt their findings to you.
4 replies →
If the people from Signal start a conversation with you on the number you emailed, how do you know it’s actually them? Couldn’t it be a third party who intercepted your email?
You need to check their “safety number”, and now we’re back to the same idea as with PGP with web of trust and key sharing parties.
At some point you still need some kind of pub-key identity check if you don’t want to accidentally report your vulnerability to PRC instead.
Right, that's insecure. Maybe they should, you know, put a PGP key on their website? :)