• kuhli@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    1 month ago

    Y’all really need to read past the headline:

    the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with

    • rustydrd@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.

      Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.

    • AAA@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      If it’s in the code, it’s a bug. If it’s not used, then remove it entirely. Everything in the code should be treated as operational.