Comment by EE84M3i
3 years ago
Hackerone is beholden to the company running the bug bounty program. The extent that they are involved heavily depends on what services they are providing (triage, etc). At the most basic level, they're just providing a platform for disclosure of vulnerabilities and some boilerplate legalese to prevent legal departments from sueing researchers.
In the vast majority of cases, companies deny requests for public disclosure. A researcher that discloses regardless of permission violates their agreement with hackerone and the company and exposes themselves to legal liability. In this case it seems the company agreed to public disclosure, which IMO should be applauded, even if their response was very slow.
I've personally had several four figure bugs unremediated for >1year, but I never thought it was hackerone's fault.
Author of the blog post here. Yes, I agree that it wasn't Hackerone's fault and they tried their best to help.
As for the violation of agreement with hackerone, I have read the policy many times before publishing the article and even asked Hackerone about this. The vulnerability is already fixed and I haven't heard from Harvest since April 2022 so there's no point asking them as it would seem like a threat rather than an actual disclosure. An excerpt from the agreement:
> Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases.
So, bug bounty programmes sprung up as a well to help coordinate disclosure and help researchers engage in responsible disclosure.
A key part of responsible disclosure is the disclosure part.
Often researchers would disclose unpatched issues to put weight on companies, even large companies, to actually patch issues.
One of the side-effects of programs like Hackerone is that actually doing your own responsible disclosure is now frowned upon (often to the point of legal problems).
But part of the social contract of absorbing coordinated disclosure should be an expectation that hackerone allows disclosing even unfixed issues.
Hackerone should not be "beholden" to companies. They make the rules. They could allow disclosure of issues if they wanted to make that a condition of the platform.
It's companies sitting on vulnerabilities that birthed the concept of "responsible disclosure" in the first place. If H1 etc are allowing it then there needs to be renaisance of the practice outside the platforms.
“responsible disclosure” is a meme to reframe immediate full disclosure as irresponsible. It is not.
Feel free to post all research results to f-d in full. This is a reasonable and responsible way to notify companies about vulnerabilities.
So, it basically sounds like we are missing a governed body consiting or researched with possibly tiered disclosure process (for severity) and the possibility to _maybe_ apply for an extension of disclosure. Would this ever happen?