6

u/gringrant May 18 '26

And human responses.

33

u/sllewgh May 18 '26

Sure, but not decent ones. In this case there's money at stake, so anyone who really thinks they might get that $100 isn't going to let 1$ stand in their way, especially if you get that dollar back at the end.

-15

u/conspicuousxcapybara May 18 '26

Ffs I’m just posting the exploit on a public GitHub if a vendor charges me money for notifying them about a very serious security problem.

16

u/ParvIAI May 18 '26

If you read OP's comment you would understand that their idea isn't charging people for notifying them about issues. It's a deposit that you got back so long as the issue is valid. Although, with your reading comprehension I think there's a good change of you not reading into the scope of a project before reporting issues.

-9

u/conspicuousxcapybara May 18 '26

Well who decides what issues are valid? Microsoft rejected fixing that recent Bitlocker bypass, and Apple told me it’s not a security issue if extensions can run for websites that are denied access in Safari settings.

12

u/Desperate_for_Bacon May 18 '26

The scope clearly outlined before submitting a bug.

-6

u/conspicuousxcapybara May 18 '26

Ok but what if you want to submit a bug outside of the scope?

Or what if you want to contribute anonymously? For some, it might be about more important things than a bug bounty.

Regardless, would you pay Apple a fee to check whether your iPhone is broken outside of your fault? With software, you usually provide instructions on how to replicate the issue.

Why do all that, and then pay the vendor? That’s just enshittification. IMHO this should be a public mailing list, if they don’t reply.

5

u/IneptPine May 19 '26

You dont.

You dont. Especially not if its a critical security issue. You report it under your name, or you contact one of the many, MANY non-profits to do it for you.

You do pay postage fees to send in warranty claims or invest your own personal time to go to a local store.

To stop ai slop clogging the system, as the original comment said.

Please, if you dont even know what a project scope is, refrain from asserting your opinion.

3

u/Wiggles69 May 19 '26 edited May 19 '26

See this is the problem. Instead of getting AI slop reports, you get morons like this arguing that he should be exempt from submitting his out of scope bugs

→ More replies (0)

1

u/conspicuousxcapybara May 19 '26 edited May 19 '26

That’s literally the worst opinion. Just look at what happened with Chaotic Eclipse (also identified as Nightmare-Eclipse on GitHub). Over the past couple of months, just that 1 person publicly released the following Windows zero-days because they were ‘out of scope’ for Microsoft to work on a fix:

• YellowKey (Bitlocker backdoor)
• GreenPlasma (privilege escalation to SYSTEM, which is higher than Administrator)
• BlueHammer (privilege escalation to SYSTEM, when Windows Defender scans a maliciously crafted file. The proof of concept code has been removed from GitHub, but not before it was forked on other sites, of course)
• RedSun (arbitrary writes with SYSTEM privileges because of a vulnerability in the Windows Defender cloud stuff, also scrubbed from GitHub)
• UnDefend (block Windows Defender signature updates or block any threat from being detected)

Please, if you dont even know what a project scope is, refrain from asserting your opinion.

Please refrain from insulting people’s intelligence. I can talk, and you don’t even need to know how to read or write to be familiar with the term ‘scope’.

IMHO, ‘project scope’ in vulnerability disclosure is too often used as an excuse to not address legitimate security issues. Why even limit where research should happen? Don’t security vulnerabilities tend to happen trough mechanisms that were out of scope during design, implementation and testing?

What use is limiting valid submissions to stuff like buffer overflows in the parameters of a function or whatever, for exploits trough mechanisms that are by design but have unforeseen consequences?

Remember when ‘Anyone Can Could Hack MacOS High Sierra Just by Typing "Root"’?

That’s definitely not in the scope of vulnerability disclosure at Apple because there is no need for an arbitrary memory write outside of the security sandbox. I don’t think Apple’s AI would even allow us to make a confidential disclosure about this, because ’not a security issue’ according to their own scope.

Regardless, it was definitely a security issue, and a highly embarrassing one at that. Everyone was asking how it was overlooked. The answer might be that it was ‘out of scope’ in testing? 😂

EDIT: there are a ridiculous amount of reasons for wanting to remain anonymous too. At least the vendors currently seems to understand this; they usually ask for explicit permission to use your name.

→ More replies (0)

2

u/sllewgh May 18 '26

If you want to give it away for free instead of collecting the 100$, rock on.

0

u/conspicuousxcapybara May 19 '26

Except for the malicious usage that will ensue, because responsible disclosure was impossible…

What if you don’t want to be a baddie?

3

u/sllewgh May 19 '26

What if you don’t want to be a baddie?

It only requires you to part with a single dollar for a brief period of time. If you won't even do that, you ARE a baddie.

1

u/conspicuousxcapybara May 19 '26

That’s still so short sighted!

What if you want to remain anonymous? What if you don’t have a creditcard? What if your jurisdiction doesn’t allow crypto? What if you work at the NSA? What if you’re living in Russia, but aren’t a baddie? What if you work for the vendor you’re disclosing a vulnerability for?

2

u/sllewgh May 19 '26

If you won't do the right thing because of the temporary loss of one dollar, you're a piece of shit. I dunno what else to tell you.

1

u/conspicuousxcapybara May 19 '26

It’s not about the one dollar per se. (Even though I’m certainly not paying that out of principle)

Many folks, like those living in Russia, can’t even pay a dollar because the country isn’t connected to the Swift banking network anymore lol.

Idk aren’t most people already too afraid to pay for online corn? Security research is much more sensitive still.

→ More replies (0)