There is definitely politics involved, but not H1 internal. The issue is that every program handles disclosure itself, so H1 itself doesn't really have the power. That could be changed at a policy level, but I'm not sure that'll happen (or should happen, honestly; I don't really know where I land on it).
From what I see, your value proposition is both to bug bounty hunters and to companies who see a value in having Hackerone manage their bug bounty program.
This effect (no matter the cause) of incident is about the worst thing that could happen to a company whose value proposition is that. It's like the bad old days where companies would legally threaten you if you found a bug, and from an outside perspective, Hackerone seems to promote it.
If I were an ethical hacker, I'd think twice before using your bug bounty program for fear of that treatment.
If I were a potential customer (or even a current customer), I don't know if I'd want to be associated with a company that tolerates veiled threats against ethical hackers.
"The worst H1 or a client can do is kick you off the platform."
As a hacker on hackerone, this is not my understanding of the relationship. Generally speaking the programs give you "authorized access" under the CFAA conditional on following the disclosure guidelines. I don't know about for other countries, but for the US I'm pretty sure this means that breaking the guidelines means you've retroactively committed a felony.
Now seems a little questionable about if any federal prosecutor would actually take the case, but it definitely doesn't seem like a strictly civil issue to me.
CFAA could (and likely would) apply for remote vulnerabilities i.e. exploiting SQLi on someone else's servers; but in the case of local privilege escalation like this particular case all the exploiting/testing happens on systems owned and controlled by the researcher, so it doesn't violate CFAA and doesn't need any permission from Valve - the breach happened with authorization from the system owner.
You need permission to pentest someone else's systems, you don't need permission to pentest software on your own systems even if that software is written by someone else. In an enterprise setting it's possible that you have signed a contract where you agree not to do such testing or not to publicize its results; but violating that would be a civil matter regarding the terms of that contract, not a felony in respect to CFAA.
I agree, if you're testing someone else's website or servers, you should comply with the scope and disclosure rules or not do the testing, unless the vendor has something else on their website that implicitly authorizes testing (like an email address to send reports to).
But that doesn't apply to Steam; nothing they write can really impact your ability to conduct security research on your own computer.
Yeah, agree in this specific case about local research (baring DMCA issues). Most H1 scopes seem to be remote targets as opposed to downloadables though.
I'm having trouble thinking of a single researcher that has left the US for legal reasons. There are lots of researchers now in Southeast Asia! But that's because bounty programs like H1 let those people work remotely.
Among other reasons, because the site is literally stuffed to its gills full of people reporting bullshit security issues, like "user impersonation possible" (if you convince a user to open developer tools and give you their session cookie), and H1 wouldn't be doing any good if it generated a constant stream of people "WONTFIX-disclosing" those reports.
I don't quite follow this reasoning. Are you saying that by allowing people to make their NA / WONTFIX reports public, it will dilute the H1 brand? Does association with H1 have a significant effect of the perceived legitimacy of individual public disclosures? Why does this matter?
My presumption is that the "other reasons" are business/political and centered around the desire to provide value to or establish goodwill with corporate partners.
People can publish whatever they want, and the only thing H1 can do about it is disinvite them from their platform. But anyone who suggests that H1 encourage people to publish NA/WONTFIX bugs probably hasn't had much contact with H1 bounty reports.
In reality, valid bugs being quashed by vendors is not the real problem H1 has.
I would rather suggest that H1 discourage (or even prohibit) their partners from dis-inviting reporters for publicizing NA/WONTFIX bugs.
In this particular case, is sounds like H1 (or an employee thereof) actively discouraged disclosure, which seems like a problem.
> In reality, valid bugs being quashed by vendors is not the real problem H1 has.
There can clearly be more than one problem. I still fail to see the relevance of the "bug report quality" problem to this discussion (beyond explaining why automatic disclosure of NA/WONTFIX reports is not helpful.)
