Currently, @kaspersky is making a very good case for not reporting security issues via their bug bounty program. After taking 8 months to resolve their issues, they are blocking publication because "users of earlier versions of the product are still vulnerable." #infosec
@WPalant No idea what kind of ToS or other agreement you signed, but anything more than 90 days is pretty suspect.
They're just dragging their heels at this point.
@varx Public bug bounty program, so nothing special - only the usual HackerOne rules: https://www.hackerone.com/disclosure-guidelines. These aren't exactly clear on timelines and such but I don't think that Kaspersky has any leverage if I decide to disclose at this point. If anything, they might complain to HackerOne about it, and I'm unsure where they will stand. Worst-case scenario - I will be banned from the platform, which isn't something I care too much about at this point.
A Mastodon instance for info/cyber security-minded people.