Bug bounty platform vendors:

Your NDAs are creating a huge amount of unnecessary friction between security researchers and the customers you are supposedly helping.

You realize that NDAs are *not* part of the ISO standards for vuln disclosure and handling, right?

Cut that out.
Every time I see another 0day drop because of bug bounty platform-induced NDA friction, I die a little more inside.

IBM’s bug bounty platform provider rejected a CERT/CC vuln coordination attempt as OUT OF SCOPE.

You can’t make this up. 🤦🏽‍♀️

https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md

/ht @tqbf
Every time I see another 0day drop because of bug bounty platform-induced NDA friction, I die a little more inside.IBM’s bug bounty platform provider rejected a CERT/CC vuln coordination attempt as OUT OF SCOPE.You can’t make this up. https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md/ht @tqbf
Every time I see another 0day drop because of bug bounty platform-induced NDA friction, I die a little more inside.IBM’s bug bounty platform provider rejected a CERT/CC vuln coordination attempt as OUT OF SCOPE.You can’t make this up. https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md/ht @tqbf
Every time I see another 0day drop because of bug bounty platform-induced NDA friction, I die a little more inside.IBM’s bug bounty platform provider rejected a CERT/CC vuln coordination attempt as OUT OF SCOPE.You can’t make this up. https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md/ht @tqbf
I don’t always feel like Cassandra, but when I do, it’s because I’ve been saying BB platforms’ default NDAs are ruining vuln disclosure since I worked for one.

https://twitter.com/wdormann/status/1252573192515960832?s=21 https://twitter.com/wdormann/status/1252573192515960832
Do I hear a deeper-vocal range echo in here?

I think this opinion is only unpopular among bug bounty platform vendors & the companies they truck into thinking this is normal or ok.
You can follow @k8em0.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more