← Back to context

Comment by swipee

15 hours ago

Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…

> Upon discovering this attack, I responsibly disclosed it to Anthropic via their HackerOne bug bounty program. They confirmed they had identified it internally but hadn't yet patched it. No bounty was awarded.

They recently mitigated the issue: Anthropic disabled web_fetch's ability to follow links on external pages, limiting navigation to web_search results and user-provided URLs.

Yeah I never get the "we knew about it internally" excuse. I can understand if another reporter got to it on the same day and they were in the process of mitigating, but even then they should have to prove it somehow.

I'm sure someone will tell me why I'm wrong but it feels like they're just dodging payouts. Reduces trust and motivation to report it.

  • you're not wrong at all, this was abysmally handled by Anthropic and is a slap in the face for OP. I would have been much more upset