Do companies refuse to fix RCE, XXE, etc?

planetzuda · April 24, 2015, 8:56am

The question is pretty straightforward do companies with bounties ever refuse to fix RCE, XXE, etc.? We don’t like spending time finding bugs no one will fix, especially critical bugs. It really bothers us when important bugs aren’t fixed.

PatrikF · April 26, 2015, 10:02am

Why shouldn’t they fix it, if they pay someone to find such vulnerabilities? Isn’t that the spirit of Bug Bounty?

planetzuda · April 26, 2015, 6:35pm

PatrikF,
Not all bounties are equal. We hope for that spirit, but many bounties don’t have it and ignore critical bugs. Those types of companies make bounties because they look good to their customers, board of directors, and if publicly traded it looks good to stock holders.

4lemon · April 30, 2015, 2:49pm

I had a directly opposite situation. Mail.ru paid for XXE that was out of scope.

planetzuda · May 2, 2015, 10:36am

Thanks! That’s been recorded on the spreadsheet of company responses with your handle. https://docs.google.com/spreadsheets/d/1ovzdpsEjGTplUC2kaUaMZcXRJzaM9FmnMX5NGXl0cyo/edit#gid=0

Topic		Replies	Views
Should bounty companies pay for bugs in third party software? Starter Zone	2	2439	August 18, 2015
This is why companies are afraid of bug bounties Starter Zone	22	7765	November 24, 2015
Keeping track of how companies respond to bug reports Starter Zone	13	5454	April 10, 2015
Oracle's CSO "No, You Really Can't" analyze their code Starter Zone	5	3191	August 25, 2015
What would you do if devs refused to fix security holes? Starter Zone	14	4817	July 10, 2015

Do companies refuse to fix RCE, XXE, etc?

Related Topics