I don't know if it's just me, but it feels like it's getting progressively harder to get permission to publicly disclose bug bounty reports, or reference them in presentations. Does that match your experience?
@liveoverflow@albinowax I read this as: As far as you know, there is no negative impact to users if you release this, but there could be. And since the responsible company is not responding, Fuck'em all.
@liveoverflow@albinowax I know you are trying to to make things better, but I am not sure if potentially throwing users under the bus to make a standpoint is the best way.
@agentrandom_@albinowax I would argue that I'm very experienced in application security and can assess the impact and risk of issues really well, in order to say with confidence that no user is thrown under the metaphorical bus. It's definitely more risky for the user to take a real bus.
@sw33tlie@albinowax I would never release a real critical. But tbh, the real-life risk for 99% of issues is very low...
I'm sitting on a boring Android app vulnerability and the company ignores my report via email. And I have absolutely zero ethical concern to publish that soon.