Forum Discussion
Tanya Janca
Oct 09, 2018Former Employee
When is a vulnerability not a vulnerability?
As republished from my blog, SheHacksPurple.
Recently, I was discussing the types of submissions that are often declined by bug bounty programs with Tomer Schwartz, who works as part of the Mic...
wroot
Oct 10, 2018Silver Contributor
These are interesting points. I don't have experience with bug prize hunters. But at my job i had to hire security auditors annually to check our sites and systems for vulnerabilities and sometimes had to argue about "criticalness" of some of the reported vulnerabilities. Also, participating in a few Open Source projects (one of them has web admin console) and seeing a fair number of reports about CSRF in various places of said console, though with a very little real world impact. At least none of the reporters asked for money :) But i guess they build their credibility this way by reporting a bunch of CSRF bugs in various software.