This is why companies are afraid of bug bounties

This is a great thread, and a tough issue to reach any kind of consensus on.

There are lots of factors that can influence time to resolve; Older organizations often have the unfortunate combination of vast attack surfaces, and lot’s of legacy LOB systems. Old systems are harder to patch, and get deprioritized against other, easier to fix systems. I know of a company that made the risk decision to switch off an unpatchable Windows 3.1 licensing server, only to have 1000s of users complain and force them to turn it back on.

I’m not saying it’s “right”, but I am saying it’s complex.

The key here is transparency and communication on the company side (which, of course, incurs cost and difficulty, which is one of the main reasons Bugcrowd does things the way we do), and empathy from the researchers. If either or both of these are missing miscommunications, rogue disclosures, and other bad things happen.

Full disclosure is the symptom of process breakdown. Ultimately, it shouldn’t need to exist - but I can see why it does.

Okay, the opinions I am reading here don’t make any sense “this is why c-level executives fear bug bounties”. I stand by the actions of randy even though I don’t know him since the exploit wasn’t in a plane.

I hack for fun still and it doesn’t matter if you have a bounty program or not. Do I think it is okay to go public on companies? Yes and my company still does that, especially if you don’t have a bounty program. So bounty program or no bounty program some of us will still find vulnerabilities and if not fixed go public. I don’t go public if it’s a bugcrowd bounty and haven’t gotten permission from the higher ups at bugcrowd.

Randy was extremely polite by informing that he was going public long before he did and by doing what he did the issue got patched.

I believe people are over reacting.

I was being a little facetious and you made my point for me. It is amazingly easy to say “that is just a one line fix” when you don’t what all the dependencies are. : )