2

Over a year ago, I have reported a few security vulnerabilities to one of the top bug bounty programs on HackerOne. All of them have been quickly triaged as critical, but no progress was made towards their resolution. I have repeatedly pinged them for update, but every time I have received evasive answers. The program response efficiency metrics seem to indicate that is not the case with other reports, or at least some of them. What should I do in this situation? I have already tried HackerOne mediation system with no success.

  • What do you believe to be a reasonable timeframe for them to fix the bugs? –  Mar 03 '21 at 14:31
  • 3
    [Relevant text from Bruce Schneier](https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html). In short, if *responsible disclosure* doesn't work, publish. – vidarlo Mar 03 '21 at 14:35
  • As I stated in the question, over a year has passed (almost two years). Considering the vulnerabilities are critical and easy to fix (even by an intern), I believe they should have been fixed within a month. –  Mar 03 '21 at 14:35
  • @ConcernedCitizen123 Then send them an e-mail that you have given them ample time to fix it now. Inform them that for the sake of the customers, you will publish the vulnerability in the beginning of May 2021. –  Mar 03 '21 at 14:47

1 Answers1

2

As many experts would agree, it is time you follow the (not so desireable) second-part of resposible disclosure: Give the security team a timeframe of 1-3 months, after wich you will disclose the vulnerability.

Responsible disclosure isn't only about communicating with the developer team to fix their security issues; It is about evaluating on your own just how much of an impact the vulnerability has, and how much time is reasonable to fix it. It would be unfair to the users to keep a critical vulnerability un-fixed and un-reported, given how much of an impact it would have if actively exploited. Sadly, sometimes the only way of making a company react, is by publishing your findings.

This was not legal advice; This was not advice; I am not responsible for the actions of those who read this.

ItsIgnacioPortal
  • 71
  • 2