Comment by belter
3 years ago
Worth quoting here...
"...In the process of disclosing and patching this vulnerability, the Harvest team was barely responsive. The company acknowledged the vulnerability by triaging but took a very long time to fix the vulnerability. After 3 years of reporting, the company finally fixed the vulnerability silently and didn't bother to inform...no bounty or even HackerOne points were rewarded by the company..."
And from the company page..
https://www.getharvest.com/security
"...Harvest cares deeply about protecting the privacy of the data entrusted to us by our customers. This is one of the core values at the heart of our business... "
"Harvest cares deeply about profiting from the illusion of the privacy around the data we harvest from customers. Profit is one of the core values at the heart of our business"
> All data stored on Harvest and Forecast is safe, secure, and reliable. For us, it’s the only way to do business.
Lol
Hey! I'm part of Harvest Security Team. We'll be changing the way we do this, but by the time this happened I triaged the report after reading it because it really looked legit. The reality is that we were never able to reproduce and there was no explicit fix.
The issue stayed on Triage state and I missed the reporter updates. I talked to the author of the post and I believe we are in good terms now.
The security and privacy of our customers is extremely important to us, everything we say in our security page is true and I've been working on this for years.
Question to mods? Was there any particular reason why this post was moved to the bottom of the thread? I can see the reasoning if a person mentioned in the post replies that their answer is moved to the top of the thread. But are HN mods now also moving post independently of the upvotes? Is the criteria mentioned somewhere?