Comment by cyrnel
2 years ago
Security disclosures are like giving someone an unsolicited gift. The receiver is obligated to return the favor.
But if you buy someone non-refundable tickets to a concert they already have tickets for, you aren't owed compensation.
Security disclosures are like telling someone they have a spot on their face. It's not always welcome, and there's no obligation on anyone to do so, nor anyone to return the favor.
In this case, the spot turned out to be a freckle, which everyone involved already knew was a freckle (since it was documented), and if anyone owes anyone anything, it's the researcher that owes github for wasting their time.
> Security disclosures are like giving someone an unsolicited gift.
Exactly.
> The receiver is obligated to return the favor.
Not at all. This is a very toxic expectation.
[dead]