Comment by rcxdude

1 month ago

It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.

It didn't become any more vulnerable.

This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.

If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

  • > It didn't become any more vulnerable.

    That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.

    > If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

    Well most people wouldn't, and for good reason.