Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't that a potential information leak, though? A potential black-hat attacker could sit around and brainstorm a big list of potential vulnerabilities without going through to figure out if they exist and are exploitable. Then they can start submitting them, and if they get closed as duplicate, they can quickly dive into that one, figure out how to exploit it, and make use of it for nefarious purposes.

Maybe that's a little farfetched, though.



Mozilla just recently changed their program to divide bounty amongst submissions of same vuln within 3 days.

Not a perfect fix, but I think it helps.


>Mozilla just recently changed their program to divide bounty amongst submissions of same vuln within 3 days.

One potential issue: someone on the Mozilla team could pass some of these on to a few friends who then claim some of the money.

It's not a major likelihood, unless the bounties are numerous or especially large.


>A potential black-hat attacker could sit around and brainstorm a big list of potential vulnerabilities without going through to figure out if they exist and are exploitable. Then they can start submitting them, and if they get closed as duplicate, they can quickly dive into that one, figure out how to exploit it, and make use of it for nefarious purposes.

So long as there is a big of lag before confirmation (which, in practice, there already is), the vendor would know about the issue at least several days in advance of the black-hat even getting a hint and could hopefully patch it in that time.

For especially big holes, just take a bit longer than usual to get back to people until it's fixed.


No it's exactly the sort of thought process people have.

Another scenario is someone does what you suggest after finding a real vulnerability, to waste the teams time while they exploit the real vulnerability.


Honestly, neither of these things would ever happen. It just doesn’t work that way and wouldn’t make sense for them to go about it that way.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: