Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 19:41:08 JST Ryan Castellucci :nonbinary_flag:

   Company: doesn't have a bug bounty program
   Me: I've found this vulnerability [details sufficient to fix included], and have discovered a marvelous exploit chain that I have not been incentivized to provide.

   • Embed this notice
     Simon Zerafa (simonzerafa@infosec.exchange)'s status on Sunday, 19-May-2024 19:47:03 JST Simon Zerafa

     in reply to

     @ryanc

     That sounds like a very good marginal comment worthy of the greats such as Fermat 🙂👍

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 19:54:28 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Simon Zerafa

     @simonzerafa I just dug up the email address for the person in charge of security at a company and emailed him basically "Here's the bug, yes it's practically exploitable, no I won't give you a PoC", let's see if they fix it.

   • Embed this notice
     Simon Zerafa (simonzerafa@infosec.exchange)'s status on Sunday, 19-May-2024 19:58:16 JST Simon Zerafa

     in reply to

     @ryanc

     No security.txt then either? 😇🤷♂️

     "I have this perfectly marvelous proof of concept which this email will not contain" would be how I would have expressed the same as yours did 😁

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 20:22:43 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Simon Zerafa

     @simonzerafa That implies I have a PoC, which I don't, because I can't be bothered.