> Of course. But everything is limited and for each scenario there's a specific chance that will happen. Some RSA key sizes are breakable if you can put a lot of computing power behind.
I can agree with you that bruteforce attacks should not be within the scope of such a bug bounty prize or competition (unless somebody has exposed a flaw that allows for very easy brute forcing).
But that's not what's happening here. What's happening here is that the people running the show are handing out a few pieces of encrypted information and saying that since nobody can crack their stuff using that handed out information, their system is secure. It's easy to be confident in a controlled sterilized environment.
The blogger is pointing out that an attacker could very well have access to a lot more information and functionality than what they are handing out. They are only demonstrating that their system is safe in a "good case scenario" when everything goes as planned. They have not demonstrated that their system is secure if everything doesn't go as planned, if suddenly the attacker found a way to spoof the email messages and send his own prodding cypher, or something to that flavor, which isn't part of the neat little package they have arranged as part of competition.
Saying that "that's most likely not the case, the hackers wouldn't have anymore information or access" just is not a rebuttal to that. It's not a rebuttal to anything, it's just a brain fart.
I can agree with you that bruteforce attacks should not be within the scope of such a bug bounty prize or competition (unless somebody has exposed a flaw that allows for very easy brute forcing).
But that's not what's happening here. What's happening here is that the people running the show are handing out a few pieces of encrypted information and saying that since nobody can crack their stuff using that handed out information, their system is secure. It's easy to be confident in a controlled sterilized environment.
The blogger is pointing out that an attacker could very well have access to a lot more information and functionality than what they are handing out. They are only demonstrating that their system is safe in a "good case scenario" when everything goes as planned. They have not demonstrated that their system is secure if everything doesn't go as planned, if suddenly the attacker found a way to spoof the email messages and send his own prodding cypher, or something to that flavor, which isn't part of the neat little package they have arranged as part of competition.
Saying that "that's most likely not the case, the hackers wouldn't have anymore information or access" just is not a rebuttal to that. It's not a rebuttal to anything, it's just a brain fart.