I found a pretty serious bug in a major service provider’s 2fa practices. The first time I reported it, they told me I was wrong. The second time I reported it, they actually tried to reproduce it and had an “omgwtf” moment.
They closed it with severity 8.8 on hackerone but the bounty wasn’t very high given how serious it was. There’s not really any sorta process for selling your bugs elsewhere though, you know?
They closed it with severity 8.8 on hackerone but the bounty wasn’t very high given how serious it was. There’s not really any sorta process for selling your bugs elsewhere though, you know?