I can see this argument making a bit of sense, but if they documented this 3 years after the issue was reported, they don't have a way to demonstrate that they truly already knew.
At the end it boils down to: is Github being honest and fair in answering the bug bounty reports?
If you think it is, cool.
If you don't, maybe it's not worth playing ball with Github's bug bounty process
Github chooses to store all "Github forks" in the same repository, and allow accessing things in that repository even when they are not reachable by the refs in the namespace of one "fork". That is purely a Github decision.
It's a bug bounty, not a "only if we have time to fix it" bounty.
He found a security problem, they decided not to act on it, but it was still an acknowledged security problem
>It's a bug bounty, not a "only if we have time to fix it" bounty
It's only a bug if it's not intended
I think a lot of developers and companies interpret "that's the way the code or process works" as intentional behavior, which is not always the case.
Do some companies intend for their platform to feature remote code execution?
4 replies →
The point of a bug bounty is for companies to find new security problems.
If the (class of) problem is already known, it’s not worth rewarding.
I can see this argument making a bit of sense, but if they documented this 3 years after the issue was reported, they don't have a way to demonstrate that they truly already knew.
At the end it boils down to: is Github being honest and fair in answering the bug bounty reports?
If you think it is, cool.
If you don't, maybe it's not worth playing ball with Github's bug bounty process
7 replies →
If a renown company won't pay a bug bounty, a foreign government often will.
2 replies →
The property (“bug”) in question is an inherent and intentional property of meekly-tree type storage systems such as git.
Calling this a bug is like reporting that telnet sends information unencrypted.
The actual bug is in the way that their UX paradigm sets user expectations.
Don't blame Git for Github decisions.
Github chooses to store all "Github forks" in the same repository, and allow accessing things in that repository even when they are not reachable by the refs in the namespace of one "fork". That is purely a Github decision.
1 reply →
s/meekly/Merkle/g
1 reply →