Comment by coldtea 2 years ago >It's a bug bounty, not a "only if we have time to fix it" bountyIt's only a bug if it's not intended 6 comments coldtea Reply bmitc 2 years ago I think a lot of developers and companies interpret "that's the way the code or process works" as intentional behavior, which is not always the case. ethbr1 2 years ago Do some companies intend for their platform to feature remote code execution? coldtea 2 years ago Some might very well do. E.g. a company with a service for training hackers and security researchers.In this case the question is moot, as this doesn't involve remote code execution. ethbr1 2 years ago Make a general point, get a general answer.If the criteria for bug is "not intended", and that's solely judged by the company, then broken auth et al. suddenly become part of their product design.If it quacks like a bug, it's a bug. jen20 2 years ago Remote code execution is literally a feature of GitHub… ethbr1 2 years ago Sandboxed code execution is a bit different than RCE.
bmitc 2 years ago I think a lot of developers and companies interpret "that's the way the code or process works" as intentional behavior, which is not always the case.
ethbr1 2 years ago Do some companies intend for their platform to feature remote code execution? coldtea 2 years ago Some might very well do. E.g. a company with a service for training hackers and security researchers.In this case the question is moot, as this doesn't involve remote code execution. ethbr1 2 years ago Make a general point, get a general answer.If the criteria for bug is "not intended", and that's solely judged by the company, then broken auth et al. suddenly become part of their product design.If it quacks like a bug, it's a bug. jen20 2 years ago Remote code execution is literally a feature of GitHub… ethbr1 2 years ago Sandboxed code execution is a bit different than RCE.
coldtea 2 years ago Some might very well do. E.g. a company with a service for training hackers and security researchers.In this case the question is moot, as this doesn't involve remote code execution. ethbr1 2 years ago Make a general point, get a general answer.If the criteria for bug is "not intended", and that's solely judged by the company, then broken auth et al. suddenly become part of their product design.If it quacks like a bug, it's a bug.
ethbr1 2 years ago Make a general point, get a general answer.If the criteria for bug is "not intended", and that's solely judged by the company, then broken auth et al. suddenly become part of their product design.If it quacks like a bug, it's a bug.
jen20 2 years ago Remote code execution is literally a feature of GitHub… ethbr1 2 years ago Sandboxed code execution is a bit different than RCE.
I think a lot of developers and companies interpret "that's the way the code or process works" as intentional behavior, which is not always the case.
Do some companies intend for their platform to feature remote code execution?
Some might very well do. E.g. a company with a service for training hackers and security researchers.
In this case the question is moot, as this doesn't involve remote code execution.
Make a general point, get a general answer.
If the criteria for bug is "not intended", and that's solely judged by the company, then broken auth et al. suddenly become part of their product design.
If it quacks like a bug, it's a bug.
Remote code execution is literally a feature of GitHub…
Sandboxed code execution is a bit different than RCE.