Comment by eterm
3 years ago
So, bug bounty programmes sprung up as a well to help coordinate disclosure and help researchers engage in responsible disclosure.
A key part of responsible disclosure is the disclosure part.
Often researchers would disclose unpatched issues to put weight on companies, even large companies, to actually patch issues.
One of the side-effects of programs like Hackerone is that actually doing your own responsible disclosure is now frowned upon (often to the point of legal problems).
But part of the social contract of absorbing coordinated disclosure should be an expectation that hackerone allows disclosing even unfixed issues.
Hackerone should not be "beholden" to companies. They make the rules. They could allow disclosure of issues if they wanted to make that a condition of the platform.
It's companies sitting on vulnerabilities that birthed the concept of "responsible disclosure" in the first place. If H1 etc are allowing it then there needs to be renaisance of the practice outside the platforms.
“responsible disclosure” is a meme to reframe immediate full disclosure as irresponsible. It is not.
Feel free to post all research results to f-d in full. This is a reasonable and responsible way to notify companies about vulnerabilities.
So, it basically sounds like we are missing a governed body consiting or researched with possibly tiered disclosure process (for severity) and the possibility to _maybe_ apply for an extension of disclosure. Would this ever happen?