Security Radar 4 #538
Comments
|
Dang.
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html |
|
New 0, Triaged 31. @TheHmadQureshi We should go through and sort these tickets by priority. Some still need to be validated and some may be dupes. |
|
I've posted our queue in the description so that it carries forward from week to week. |
|
It's kind of amazing how activity on HackerOne generates activity on HackerOne. New 12, Triaged 27. |
|
New 2, Needs More Info 1, Triaged 29. |
|
Seems like the $1 bounties are coming across as insulting: https://twitter.com/merttasci_/status/710617553400369152 Maybe we should drop the bounties entirely for theoretical risks? |
|
It depends on whether the reports are viable threats. How much are other organizations paying for reports of the same type of threats? |
Check our security policy: we differentiate four levels of risk/viability, and the suggestion is that we offer no bounty for the lowest risk level.
Other orgs offer 10x what we're offering, but we're small and of humble means. :) |
|
This is a terminology problem, then. If people are submitting risks and then getting mad that you're calling them "theoretical," they obviously thought the risk was more substantial. Is there some way to link to a set of example reports that fall within each category? |
That hasn't been the case. It's outside observers that are seeing our $1 bounties on https://hackerone.com/hacktivity and commenting about it on Twitter. |
|
Well, there's always #236. |
|
Yeah, fair enough. Let the peanut gallery be the peanut gallery. |
|
How about we hide the amount of bounty ? |
Booooooooo. We're an open company! :) |
|
oh yeah. But as we are gonna disclose the bug, the amount will be revealed but at least that wont feel awkward on Hacktivity. |
|
If we feel awkward about it then we shouldn't do it. If we should do it then we don't need to feel awkward. :) |
|
Also, I think we want to show up on Hacktivity, right? It looks like listing bounties there is all or nothing. |
|
I.e., we can't show the $40 payouts but not the $1 ones. Right? |
|
I mean, the $1 bounties are for theoretical risks. If someone is humiliated by that then they should make better reports. :-) |
|
Yes thats what i am saying. Dont show bounties on H1. As soon as we will disclose the bug ( which is certian ) the bounty will be visible as well but till that it will only say as: Gratipay rewarded Hammad with a bounty. |
|
Okay, that makes sense. I didn't realize we could be on Hacktivity without listing bounty amounts. Done! :-)
|
|
On the other hand, we were getting some press from our $1 bounties, now we don't have that. |
|
|
|
Let's own it! We're small, but we're at the table. Why hide? :-) |
|
Reminds me of when I used to deliver produce for the forerunner of Clarion River Organics. I would roll up to the Giant Eagle warehouse in our small, unrefrigerated, non-dock-height box truck, and get in line right alongside all of the big ol' 18-wheelers. 🚚
|
|
← Security Radar 3
Docs
http://inside.gratipay.com/howto/sweep-the-radar
Scope
This radar covers Gratipay's security program, including:
Security TeamissuesQueue
Unclear Risk
https://hackerone.com/reports/117187
https://hackerone.com/reports/117195
Severe Risk
Moderate Risk
Mild Risk
https://hackerone.com/reports/76304
https://hackerone.com/reports/76306
https://hackerone.com/reports/80907
https://hackerone.com/reports/90805
https://hackerone.com/reports/108645
https://hackerone.com/reports/109161
https://hackerone.com/reports/111325
https://hackerone.com/reports/115284
https://hackerone.com/reports/117739
https://hackerone.com/reports/117984
https://hackerone.com/reports/118699
https://hackerone.com/reports/120026
https://hackerone.com/reports/123688
https://hackerone.com/reports/123697
https://hackerone.com/reports/118023
Theoretical Risk
https://hackerone.com/reports/78151
https://hackerone.com/reports/81701
https://hackerone.com/reports/90777
https://hackerone.com/reports/90778
https://hackerone.com/reports/116147
https://hackerone.com/reports/117142
https://hackerone.com/reports/117330
https://hackerone.com/reports/117386
https://hackerone.com/reports/117833
https://hackerone.com/reports/123742
https://hackerone.com/reports/123942
https://hackerone.com/reports/123897
https://hackerone.com/reports/124096
The text was updated successfully, but these errors were encountered: