Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
poniko a day ago

The NDA part feels really murky.

tptacek a day ago | parent [-]

It's pretty standard for bounty programs. If you don't like it, which is reasonable, do what this researcher did and just post independently.

asadotzler a day ago | parent | next [-]

That's an exaggeration. Most industry leaders do not require NDAs, only coordinated disclosure.

Mozilla's program, which has been around longer than most, doesn't. Google and Microsoft don't. Meta and Apple don't.

This is water carrying, intentional or not, for a terrible practice that should be shamed, so that it doesn't become standard.

tptacek a day ago | parent [-]

My understanding is that all Bugcrowd bounties do by default.

You can shame it all you want, but you can also just publish your bugs directly. Nobody has to use the Bugcrowd platform. You don't even have to wait 45 days; I don't buy these "CERT/CC" rules.

pyman a day ago | parent | prev [-]

The bug bounty world is a funny one. I remember one complaining that their bug was dismissed and fixed after they signed an NDA, no payout, nothing. Another one got $100 instead of $5,000 because the company downgraded the severity from high to low. So they ended up with little or no money, and no recognition either. Not sure if these were edge cases, but it does make you wonder how fair the process really is.

tptacek a day ago | parent [-]

If you're dealing with large companies, a good rule of thumb is that the bounty program is incentivized to pay you out. Their internal metrics improve the more they pay; the point is to turn up interesting bugs, and the figure of merit for that is "how much did we have to spend". At a large company, a bounty that isn't paying anything out is a failure.

All bets are off with small random startups that do bug bounties because they think they're supposed to (most companies should not run bounties). But that's not OpenAI. Dave Aitel works at OpenAI. They're not trying to stiff you.

Simultaneous discovery (either with other researchers or, even more often, with internal assessments) is super common. What's more, you're not going to get any corroboration or context for them (sets up a crazy bad incentive with bounty seekers, who litigate bounty results endlessly). When you get a weird and unfair-seeming response to a bounty from a big tech company, for the sake of your own sanity (and because you'll probably be right), just assume someone internal found the bug before you did, and you reported it in the (sometimes long) window during which they were fixing it.

pyman a day ago | parent [-]

Interesting insights, thanks for sharing