5

An XSS vulnerability report was made via Open Bug Bounty, which was fixed, confirmed and a reward was made.

The reporter has marked the issue was resolved. They have further offered to remove the vulnerability from the Open Bug Bounty archive.

Being unfamiliar with Open Bug Bounty, I'm not sure if this is a good or a bad thing. The vulnerability was ethically reported in the open, so the fact that there was a report is already on the public record. The only reason I can think of to remove it is reputation protection, and even then it doesn't seem like a very strong reason.

My inclination is to leave it in the archive by default and that removal looks suspicious.

Is there a good reason to remove a report from the archive?

Joe
  • 1,284
  • 1
  • 9
  • 10

1 Answers1

1

On the Open Bug Bounty website about page, it states:

...security researcher[s] can delete the vulnerability submission at any time before public disclosure of the vulnerability details. However, once disclosed, the submission can no longer be deleted to prevent undue pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

The only real reason the reporter is offering to delete this report is likely because once the vulnerability publicly disclosed, it's public and cannot be deleted.

I can't think of any good reasons to have the report be deleted prior to public disclosure. There are plenty of good reasons to postpone a disclosure, but not to delete one.

Contact the reporter to confirm they have no other concerns about this report. While unlikely, they could have a legitimate reason to delay the public disclosure.

Best practice would be to go forward with public disclosure under your agreed disclosure timeline.

(That said, if the reporter chooses to delete the submission on their own volition without your input, that's their right according to how Open Bug Bounty is set up.)

drivec
  • 111
  • 3