No announcement yet.

Rewards for vuln disclosure.

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rewards for vuln disclosure.

    Dumb idea, though I thought it was cool. By posting this, I'm not claiming that any part of this software is insecure, rather I'm brainstorming ideas to make it even more secure by encouraging 'security researchers' to privately disclose newly discovered vulnerabilities to the developers as opposed to sharing it with their little buddies.

    Going to try something different; instead of creating a wall of text, I'll just copy and paste where I got the idea from:

    Piwik Security Bug Bounty Program

    The Piwik Security Bug Bounty Program is designed to encourage security research in Piwik and to reward those who help us create the safest Web Analytics platform.

    The bounty for valid critical security bugs is $500 (US) cash reward. The bounty for non-critical bugs is $200 (US), paid via Paypal.

    The bounty will be awarded for security bugs that meet the following criteria:

    • Security bug must be original and previously unreported
    • Security bug is present in the most recent supported or release candidate version of Piwik
    • If two or more people report the bug together the reward will be divided among them

    Same idea, just replace "Piwik" with "VBSI" and probably lower the bounty too.
    - Maurice Workin' in the Jira mine, goin' down, down, down

  • #2
    I don't think that's a dumb idea... Seeing the example of Piwik, you should take into account it was born as an open source project, nevertheless they're running a bug bounty program since 8 years now. As opposed to vBulletin, which is not open source software and people pay for it! And yes, by posting this, I'm claiming that some part of this software is insecure: I've recently discovered some security vulnerabilities affecting latest versions of vBulletin, but I see no reasons why I should report them for free!


    • In Omnibus
      In Omnibus commented
      Editing a comment
      So, you're bumping an eight year old thread to report security vulnerabilities that you're not reporting? Bull.

  • #3
    My name is Shaye Lynne, please kindly contact me through my Email
    Thank you.
    Last edited by Mark.B; Wed 27 Feb '19, 3:53am. Reason: email removed


    • #4
      The support team cannot contact anyone by email.
      If you need to contact the various teams here, please use the contact form.

      TalkNewsUK - My vBulletin 5.6.2 Demo
      AdminAmmo - My Cloud Demo


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.