Comment by sumedh
4 months ago
> THEN the researcher eventually goes public.
He should have said since its not going to be fixed, he will just inform the individual companies.
4 months ago
> THEN the researcher eventually goes public.
He should have said since its not going to be fixed, he will just inform the individual companies.
Once they'd brushed him off and made it clear they were not interested in listening to him, resolving the bug, or living up to the usual expectations that researchers have in companies claiming to have bug bounties on HackerOne, I'd say they lost any reasonable expectation that he'd do that.
I'll note he did go to the effort of having the first stab at that sort of resolution, when he pushed back on HackerOne's inaccurate triage of the bug as an SPF/DKIM/DMARC email issue. He clearly understood the need for triage for programs like this, and that the HackerOne internal triage team didn't understand the actual problem, but again was rebuffed.