Even if it was that simple, this is still a vulnerability that is basically a time bomb. The day that code would have been triggered would have been disastrous.
But this isn’t new, bug bounties tend to have terms as strict as they can to deny you the bounty while they obviously end up fixing issues that don’t qualify for the bounty. All because of reason X or Y that turns out to be a subjective interpretation of a vague enough eligibility requirement.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
Y’all really need to read past the headline:
Pretty sure ur the only commentator here that actually opened the link LMFAO
If it’s in the code, it’s a bug. If it’s not used, then remove it entirely. Everything in the code should be treated as operational.
ding ding ding!
no, don’t comment it out.
no, don’t soft-block it.
no, don’t not call it.
just fucking delete it.
Even if it was that simple, this is still a vulnerability that is basically a time bomb. The day that code would have been triggered would have been disastrous.
But this isn’t new, bug bounties tend to have terms as strict as they can to deny you the bounty while they obviously end up fixing issues that don’t qualify for the bounty. All because of reason X or Y that turns out to be a subjective interpretation of a vague enough eligibility requirement.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
I mean, you get paid an awful lot more if you sell it on the dark web, so why wouldn’t you at this point?
things like that should give a pause for other corporations, when they consider where they buy their stuff from.
I hope they do.
Sure however it’s still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don’t back out over being emotionally manipulated by fake bullshit.
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
Sirius cybernetics corporation ? They’re a bunch of mindless jerks who’ll be the first against the wall when the revolution comes.