Comment by andersa
2 years ago
Based on some (admittedly not very thorough) search, this documentation was posted in 2021, three years after my report.
2 years ago
Based on some (admittedly not very thorough) search, this documentation was posted in 2021, three years after my report.
But that would still means they didn't intend to fix it, hence not giving bounty is fair.
It's a bug bounty, not a "only if we have time to fix it" bounty.
He found a security problem, they decided not to act on it, but it was still an acknowledged security problem
>It's a bug bounty, not a "only if we have time to fix it" bounty
It's only a bug if it's not intended
6 replies →
The point of a bug bounty is for companies to find new security problems.
If the (class of) problem is already known, it’s not worth rewarding.
11 replies →
The property (“bug”) in question is an inherent and intentional property of meekly-tree type storage systems such as git.
Calling this a bug is like reporting that telnet sends information unencrypted.
The actual bug is in the way that their UX paradigm sets user expectations.
4 replies →