|
The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares. Maybe people will find unauthenticated access to the datatracker
site and be able to do things there. Depends on what you think the risk is. The OpenSSL website is not worth people hacking. (“Yes, thanks, being able to view the site with SSLv3 is deliberate.”) Finding CVE bugs in the OpenSSL source was worth it, but OpenSSL never had a bug bounty program. Researchers are quite
good about responsible disclosure. Akamai does not have a bug bounty program. We also seem to be quite good about getting responsible disclosures; this week’s BlackHat presentation (https://blogs.akamai.com/2020/08/black-hat-presentation---web-cache-entanglement.html
is our take on it) is an example. In the past I’ve given Tshirts to a couple of folks. |
