7 comments

[ 4.5 ms ] story [ 30.0 ms ] thread
> They politely replied that they don’t provide bug bounties and the endpoints have been patched.

Yeah. No wonder people are selling this stuff.

At this point I feel like an anonymous platform for publicly available bugs and vulns like this would be a good thing.

Oh, you don't do a bug bounty, and you say it's fixed when it clearly isn't? Okay, then it shouldn't be a problem if I publicly name, shame and provide a POC for everyone to see.

Though, I'm sure most people would just sell it to a vulnerability broker instead and make a quick buck.

Note: Such a platform I'm invisioning here would definitely be illegal. I'm aware.

While I support companies having bug bounty programs, I also can’t justify why a company must be obligated to provide a bug bounty program.

It’s like obligating companies to have a user feedback program.

You just described any darknet market

Some of them even have „autoshops“ where you can sell cc info to the system with price limit and buyers get matched like in a financial market with an orderbook. No shit

“We don’t do bug bounties, but here’s our customer data.”
orderby: "id DESC"

I sure hope the backend uses prepared SQL statements.