No matter how much effort you invest or how objectively severe the vulnerability you find is, you can always be brushed off with a "We believe is not that serious" or "Someone else has already reported it." Essentially, you're blindly trusting companies to pay you after you did the job and reported to them, with no kind of contract backing the employment relationship.
It's no coincidence that the prices for this kind of information on the dark web are much higher than on official bug bounty platforms: demand is greater, opportunity cost is lower and market equilibrium is more genuine. We need stronger incentives if we want to stay ahead in the cybersecurity war.
Trezor is transparent with these discoveries: https://trezor.io/learn/a/past-security-issues
I wonder if there are any websites for tracking bug bounty submissions, to determine if anyone else had, actually, made a company aware of something.
It would be a hacker's goldmine, if this data got out. Basically a listing of verified vulnerabilities.
Another, less moral, but just as interesting would be a trivago/kayak of bug bounties. Compare the prices across the board from the expected darknet price vs the price of reporting it to that sire
It's complicated on their end too. How would they know if you were reporting the same vulnerability from several sockpuppets?
Spam is everywhere and its not easy to solve.
Even though hashing language is very imprecise as I can form the same idea many ways I think hashing your vulnerability and then seeing if that hash has already been reported is an interesting thought experiment
I second you. My friend reported a vulnerability in a popular crypto wallet to the concerned people and looks like they responded saying they aren't able to reproduce the issue. My friend tested on three phone brands and confirmed that the vulnerability is exploitable on multiple devices. The vulnerability still exists and they haven't done anything to fix it since months.
we already lost the cybersecurity war
Bug bounties should encourage and incentivize. Not paying because of something secret is baaad practice.
Who is fighting in this war? What's this war for?
Some pepe often say that Bitcoin is for criminals and there are also people who say Bitcoin is for freedom.
The same is about cybersecurity. Who doesn't want to watch a pirated video just free of cost? Who doesn't do it? Sometimes, it's better to judge everything with a little more rationale, instead of downvoting it straight away.