> In the questions at the end, he points out the bug bounties are a PR Problem. When you pay a bug bounty and fix, the researcher needs to shutup instead of going public about the vulnerability. Of course, the researcher needs the publicity to build a business & credibility. So bug bounties are likely to die.
Because security researchers need to build their business, they will find vulnerabilties and disclose them, no matter what. The biggest splashes in the past year were Heartbleed and Shellshock. Correct me if I'm wrong, but neither were driven by bug bounties.
Bug bounties are a PR problem, but they are a smaller PR problem than a zero-day disclosure that results in massive exploits. The point is get the company slightly ahead of the PR curve, not to kill disclosure (which would be impossible).
The "Disclosure Process" doesn't explicitly spell it out, because I think it's just the mental baseline assumption all the authors were operating under, but everything ends up disclosed in the end. It's just a matter of timing.
Perhaps sometimes things are hidden and never disclosed, but it is at least not the general policy.
(Disclaimer: I work for a company that is a bugcrowd customer; I chose HackerOne's policies as my point to avoid any entanglement. I'm not aware of anything we've ever permanently hidden, either.)
Bug bounties are a PR problem if handled badly. If handled well, bug bounties say "look at all of the ways we've made our product more secure". Put another way, do you think Google is less secure or more secure because of their engagement with security researchers?
When I report a vulnerability, I ask (if it's not already known) what their timetable is for patching it. If they want more than 30 days for a simple fix, I disclose immediately.
The turnaround time for most projects I've reported to was less than a week.
Because security researchers need to build their business, they will find vulnerabilties and disclose them, no matter what. The biggest splashes in the past year were Heartbleed and Shellshock. Correct me if I'm wrong, but neither were driven by bug bounties.
Bug bounties are a PR problem, but they are a smaller PR problem than a zero-day disclosure that results in massive exploits. The point is get the company slightly ahead of the PR curve, not to kill disclosure (which would be impossible).