问HN:漏洞赏金困境——接受奖金并签署保密协议,还是选择公开?
大家好,
我最近在一家英国上市消费品公司发现了一个高危漏洞。这个漏洞允许未经授权访问用户的私人消息,甚至可以让你在平台上冒充其他用户。
他们提供了1000欧元的赏金,但前提是我必须签署一份保密协议(NDA),这份协议禁止任何公开的书面报道——即使在问题修复后也不例外。
我觉得这个赏金对于漏洞的影响来说太低了,而且要求签署一份在修复后仍然禁止公开披露的保密协议让我觉得这是一个很大的警告信号。
我倾向于拒绝这个提议,并在问题修复后进行公开报道——但我非常欢迎大家对此事的看法和建议。
谢谢!
查看原文
Hi everyone,<p>I recently found a high-criticality vulnerability in a listed consumer company in the UK. It allows unauthorized access to users’ private messages and even lets you impersonate other users on the platform.<p>They’ve offered a €1,000 bounty, but only if I sign an NDA that prevents any public write-up—even after the issue is patched.<p>I feel the bounty is too low for the impact, and asking to sign an NDA that prevents any public disclosure even post-fix feels like a big red flag.<p>I’m leaning towards declining the offer and doing a public write-up once the issue is fixed—but I’d really welcome opinions from others on what the right thing to do here is.<p>Thanks!