Currently, @kaspersky is making a very good case for not reporting security issues via their bug bounty program. After taking 8 months to resolve their issues, they are blocking publication because "users of earlier versions of the product are still vulnerable."

Feel free to guess whose decision it was to roll the fix into a major release and leaving lots of users vulnerable instead of pushing out new versions of browser extensions to users on all versions.

Disclosure of two more reports has been denied because I've "requested too many tickets for disclosure at the same time." That's an interesting justification given that earlier disclosure of some reports has been denied due to similar yet unfixed vulnerabilities.

And the result of the discussion: wants to put disclosure on hold until November, to allow users to migrate to the new release. By which time the reports will be one year old. I wonder whether I am actually bound to this timeline on a public program...

@WPalant No idea what kind of ToS or other agreement you signed, but anything more than 90 days is pretty suspect.

They're just dragging their heels at this point.

@varx Public bug bounty program, so nothing special - only the usual HackerOne rules: These aren't exactly clear on timelines and such but I don't think that Kaspersky has any leverage if I decide to disclose at this point. If anything, they might complain to HackerOne about it, and I'm unsure where they will stand. Worst-case scenario - I will be banned from the platform, which isn't something I care too much about at this point.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.