Let's have a #RealTalk moment. In recent years there has been a degeneration of the software bounty industry. Focussing on MSFT here (but it's not exclusive to their program). We had a lot of, "not a boundary", "that thing is not in scope", nerfing the payouts into the ground 1/n
https://twitter.com/NinjaParanoid/status/1425859703645511683
, one of my favourites, "this app has live updates so we don't assign CVE's" and finally on-prem critical infra like Exchange and Sharepoint aren't eligible at all (lol wut, come again?)
https://twitter.com/GossiTheDog/status/1423609007063851015
I'm honestly baffled by this, for example look at this RCE for teams => github.com/oskarsve/ms-te… marked as "Important/Spoofing" (maybe like 3k bounty?) but at the same time p2o paying out 200k
https://twitter.com/thezdi/status/1379483195205431299there was a similar story for Slack RCE
I'm not sure what the strategy is here but nerfing payouts into non-existence (5k EOP lol wut, come again?) and/or obscuring bugs doesn't decrease their impact or their real value. I think it only makes private sales much more attractive and is a detriment to everyone ¯\_(ツ)_/¯
Have we really forgotten about this collectively? 
• • •
Missing some Tweet in this thread? You can try to
force a refresh
