Comment by dunkelheit
7 years ago
So even Latacora-advised startups use plain old email for bug bounties. Why then does the blog post recommend using Signal for that?
7 years ago
So even Latacora-advised startups use plain old email for bug bounties. Why then does the blog post recommend using Signal for that?
Because Signal would be better than the PGP theater. In practice, though, it doesn't matter; people are just going to use plain old email no matter what. They're not going to encrypt their findings to you.
Anecdote about said startups: in 2y of the one big bounty that did have a PGP key, we got one PGPd report, and it was “session takeover”: if I copy the cookie out of Burp and into a new Incognito session, I will be logged in. Bounty plz?
We also got super clever reports on that same bounty program. They just sent email.
Maybe all PGP users are morons, that's beside the point. My point is that if someone recommends something but doesn't follow their own recommendation, it is most likely that the recommendation is not well thought-out and can be ignored. In this case the recommendation to use Signal looks more like a refutation of the point brought up by PGP advocates and not something that anyone would actually do.
1 reply →
> PGP theater
Hmm I don't see it as theater if you are unable to intercept and decrypt my message. Or forge my signature, etc.