Currently, @kaspersky is making a very good case for not reporting security issues via their bug bounty program. After taking 8 months to resolve their issues, they are blocking publication because "users of earlier versions of the product are still vulnerable." #infosec
Disclosure of two more reports has been denied because I've "requested too many tickets for disclosure at the same time." That's an interesting justification given that earlier disclosure of some reports has been denied due to similar yet unfixed vulnerabilities.
@WPalant No idea what kind of ToS or other agreement you signed, but anything more than 90 days is pretty suspect.
They're just dragging their heels at this point.
@varx Public bug bounty program, so nothing special - only the usual HackerOne rules: https://www.hackerone.com/disclosure-guidelines. These aren't exactly clear on timelines and such but I don't think that Kaspersky has any leverage if I decide to disclose at this point. If anything, they might complain to HackerOne about it, and I'm unsure where they will stand. Worst-case scenario - I will be banned from the platform, which isn't something I care too much about at this point.
A Mastodon instance for info/cyber security-minded people.