I wouldn’t do it, ( I haven’t done it… I’ve found some GOOD dupes)
Rant:
I think it’s underhanded, if you are participating in a bughunt then two things are happening, you are invited to participate, play, hax …and in turn for your time and effort you are rewarded in few or many ways (status, swag or cash money… and if you’re really good a lap-dance from Casey) in return for whatever security concerns/bugs you find on the platforms you are invited to (public, private and everything in between) the other thing is the company feel’s it’s mature enough to take scrutiny from some of the best bug hunters in the world (and some who are learning) … this company is saying we think we have done everything we can… but we’d love you to prove us wrong
the guy has seen his arse because he found something good that someone else already found and he doesn’t have the integrity to continue playing the game, it reflects badly on him
He’s like the kid that punches someone else’s cake at their birthday party because it’s not his birthday.
Moving forward:
A few incidents like this could be destabalizing confidence in big companies that don’t work as fast as lean startups where no one sleeps … EVER.
you really need people like Casey, Kate and co to deliver their views on how bug hunters should behave (if they want to participate in the programs with the likes of BC H1 SA etc… otherwise you’re going to get a load of professional consultants frowning on it because they know how hard it is to get things done in large environments and then you’ll have the other category of ‘f*%k um bro’ hax da matrix, FSociety etc… that haven’t got a scooby-do what’s involved in delivering, fixing,updating, refactoring maintaining a product.
United Airlines assumed they where ready for a bughunt (possibly because Vulnscans and crap pentests told them they are okay) or possibly because they saw bugbounties doing the rounds and they jumped in too early
I’d like to see the emails to build a better judgement but from what I have seen, I wouldn’t want him on my team trust is important.
I have more respect for UA for setting up a bug bounty program, this action demonstrates that they give a shit, want to improve and when issues are found (and that’s the purpose) they get burned …
** someone should get thier arse kicked for letting this by m testing phases, but isn’t that the point of a bug hunt, finding shit people missed?