disclosure – Page 4 – WindowsTechs.com

Bug Bounty Programs Are Being Used to Buy Silence

Posted on April 3, 2020 by Bruce Schneier

Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug… Continue reading Bug Bounty Programs Are Being Used to Buy Silence→

Bug Bounty Programs Are Being Used to Buy Silence

Posted on April 3, 2020 by Bruce Schneier

Marriott Was Hacked — Again

Posted on April 2, 2020 by Bruce Schneier

Marriott announced another data breach, this one affecting 5.2 million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details (e.g., name, mailing address, email address, and phone number) Loyalty Account Information (e.g., account number and points balance, but not passwords) Additional… Continue reading Marriott Was Hacked — Again→

What is the oldest security bug bounty / vulnerability disclosure program? [closed]

Posted on February 26, 2020 by greggles

I’m aware that Facebook had a paid bug bounty program quite early. This article notes the 5th anniversary so the program existed in 2011.

I’m curious about other programs, regardless of:

Whether a service (e.g. Facebook) or a software v… Continue reading What is the oldest security bug bounty / vulnerability disclosure program? [closed]→

Let’s make ransomware MORE illegal, says Maryland

Posted on January 29, 2020 by Lisa Vaas

… with a clumsily worded proposed bill that wouldn’t protect researchers. Continue reading Let’s make ransomware MORE illegal, says Maryland→

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

Posted on November 27, 2019 by Bruce Schneier

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but this is a welcome development. The DHS is seeking public feedback…. Continue reading DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy→

NordVPN Breached

Posted on October 23, 2019 by Bruce Schneier

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could… Continue reading NordVPN Breached→

NordVPN Breached

Posted on October 23, 2019 by Bruce Schneier

How do I sell critical vulnerability info to private company?

Posted on October 11, 2019 by Titan

Here is the story. There is a private company, that has some software product that is used by thousands of its customers. After spending few sleepless nights on reverse engineering that product, I identified a critical flaw i… Continue reading How do I sell critical vulnerability info to private company?→

I found an XSS site while searching [duplicate]

Posted on October 4, 2019 by su3158

This question already has an answer here:

How to handle security issues of someone else’s website

2 answers

I found a site where XSS is running
I want to report this site because it is dangerous for others
Where should I report it?

Continue reading I found an XSS site while searching [duplicate]→