Reply to post: Re: This happens all too often

Uber explains itself after 'moving the goalposts' on its new bug bounties


Re: This happens all too often

That's exactly the issue with slippery bug bounty rules.

If, as a company, you run a bug bounty scheme properly and pay for valid submissions (and then go and amend your code), you can improve your code.

If, on the other hand, you keep changing rules to dodge payments, many bounty hunters will think "screw it" - or worse: sell it elsewhere. The result is that security issues get out into the open, and the code of the site remains vulnerable. The company achieves the exact opposite of what bug bounty schemes are intended to achieve: they become more vulnerable, faster than they would if they didn't have any bug bounty scheme to begin with.

Uber, like many others, seem to think a bug bounty is a marketing stunt. Well, wait until it backfires.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021