Bumped into a creative way of running an alibi program: reflective counts as "low impact" which is worth merely 2.5% of the maximal bounty amount. I guess that listed under scope exclusions and very low average bounty should have been a warning sign to me.

I think that encourages this behavior by not providing useful guidelines on determining severity. does better with their vulnerability rating taxonomy, barely any programs deviate significantly from it and it's always obvious.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.