Forum Discussion
When is a vulnerability not a vulnerability?
As republished from my blog, SheHacksPurple.
Recently, I was discussing the types of submissions that are often declined by bug bounty programs with Tomer Schwartz, who works as part of the Mic...
These are interesting points. I don't have experience with bug prize hunters. But at my job i had to hire security auditors annually to check our sites and systems for vulnerabilities and sometimes had to argue about "criticalness" of some of the reported vulnerabilities. Also, participating in a few Open Source projects (one of them has web admin console) and seeing a fair number of reports about CSRF in various places of said console, though with a very little real world impact. At least none of the reporters asked for money :) But i guess they build their credibility this way by reporting a bunch of CSRF bugs in various software.