1. 26
  1. 2

    This is great! What do you think about the 20% bonus when providing a fix. It sounds like a wrong incentive, because from my knowledge it is best practice to report the vulnerability as soon as possible.

    1. 2

      If you’re the first nice person to find it and an attacker is already exploiting it, reporting it soon lets people deploy mitigations. If you’re the first nice person to find it and it isn’t being exploited in the wild then keeping it secret doesn’t impact anyone else and is a gamble:

      • If someone else finds it and reports it, you get nothing.
      • If no one else reports it until you provide a fix, then you get 20% more.

      My guess would be that 20% is a sufficiently small extra incentive that you’d only both with it for fairly simple fixes - if it’s a lot of effort then you’re better off looking for the next bug - and so it won’t cause a very long delay anyway and the risk of someone else reporting it first helps nudge this incentive.

      1. 1

        I don’t have any experience with that program or platform, but I would assume that you could report early and contribute / give suggestions or even retest within the discussion of that ticket. That’s how we do it at my workplace at least.

        1. 2

          True, but keeping the vulnerability secret gives you a head start. I have no idea if thats actually an issue in practice.

          1. 1

            Yeah but if you found it, then technically anyone could find it. It basically provides an incentive to find/fix bugs.

      2. 1

        A bit surprised that Odoo made it into this program, considering it has a fairly large organization behind it providing commercial support.