> It's not clear whether the asshole in question is being dogmatic about some ninety-day disclosure-to-publication deadline or whether they're maybe being rude about the project having security bugs.
Being dogmatic with 90days disclosure, would get you a "hardline security reporter", but not an "asshole".
Notably, because there has been no reporter that refused to extend by a reasonable amount of days, for us. "Hey, can we get 120 days, because we got other bugfixes and we want to do all of them together".
No, we're talking about actual assholery here:
- requesting answer and reproducibility in 24hours, and sending 10 mails in the mean time;
- sending the same issues more than 10 times, because the stacktrace he has is slightly different, but refusing to listen when told that this was the same issue, and therefore only one bounty;
- refusing to read the guidelines, and refusing to test the good version, and then insulting us;
- agressivity, or insults, to the point where the HackerOne team had to intervene several times;
- plugging the output of his fuzzer to HackerOne without checking if it actually crashes or if it is a different bug;
- submitting the same bug to a different program (Google Android Apps) to get 2 times the bounty, while the bug DID NOT apply on Android, but he did not even check;
- a few others that I forgot.
So yeah, this is not about dogmatic or hardliners: we know how to deal with those in the open source communities.
That's amazing ... I don't know how anyone would even get to the point of realizing VLC has a bug bounty progam without also knowing that VLC is an open source program and therefore the source is supposed to be visible.
> It's not clear whether the asshole in question is being dogmatic about some ninety-day disclosure-to-publication deadline or whether they're maybe being rude about the project having security bugs.
Being dogmatic with 90days disclosure, would get you a "hardline security reporter", but not an "asshole".
Notably, because there has been no reporter that refused to extend by a reasonable amount of days, for us. "Hey, can we get 120 days, because we got other bugfixes and we want to do all of them together".
No, we're talking about actual assholery here:
- requesting answer and reproducibility in 24hours, and sending 10 mails in the mean time;
- sending the same issues more than 10 times, because the stacktrace he has is slightly different, but refusing to listen when told that this was the same issue, and therefore only one bounty;
- refusing to read the guidelines, and refusing to test the good version, and then insulting us;
- agressivity, or insults, to the point where the HackerOne team had to intervene several times;
- plugging the output of his fuzzer to HackerOne without checking if it actually crashes or if it is a different bug;
- submitting the same bug to a different program (Google Android Apps) to get 2 times the bounty, while the bug DID NOT apply on Android, but he did not even check;
- a few others that I forgot.
So yeah, this is not about dogmatic or hardliners: we know how to deal with those in the open source communities.