Skip to main content

the most recent hackerone issue was filed because the user googled "[another project] bug bounty program", clicked the first link (to #curl's bug-bounty) and entered an issue about a completely different project...
#curl
in reply to daniel:// stenberg://

ThomasToSpace
ThomasToSpace
That seems like a great way to donate to curl without having funds yourself! Just pass on the issue and earn a bounty! 💸
in reply to ThomasToSpace

daniel:// stenberg://
daniel:// stenberg://
I believe in this case the project the user was looking for does not actually have a bug-bounty... And the issue that was reported did not look like a genuine issue to me...
This entry was edited (1 month ago)
in reply to daniel:// stenberg://

🔗 David Sommerseth
🔗 David Sommerseth
Our experience with HackerOne was that it was a great fliepaper for poor and clueless security reports. Seems these reporters has more issues sending an e-mail to our security address. For us, HackerOne was just a waste of time.
in reply to 🔗 David Sommerseth

daniel:// stenberg://
daniel:// stenberg://
@dazo For us the complete opposite: we have 72 reported confirmed CVEs through hackerone so far, in a little over five years. Sure there is junk, but the good outweighs the crap by far for us.
@🔗 David Sommerseth
in reply to daniel:// stenberg://

🔗 David Sommerseth
🔗 David Sommerseth

That's good to hear!

It's some years since we pulled out, so my memory is fragile. But IIRC, we had about a handful valid tickets (5-7ish) and a some hundred with pure noise in a couple of years. And most real security researchers anyhow reached out via e-mail anyhow.

in reply to 🔗 David Sommerseth

daniel:// stenberg://
daniel:// stenberg://
@dazo I can assure you that they do not reach out by email if you clearly document there is a single entry for security vulnerabilities...
@🔗 David Sommerseth