提问 HN:赏金猎人的困境——接受赏金并签署保密协议,还是公开披露?
4 分•作者: deep_thinker26•9 个月前
大家好,
我最近在一家英国上市的消费品公司里发现了一个高危漏洞。该漏洞允许未经授权访问用户的私人消息,甚至可以让你冒充平台上的其他用户。
他们提供了 1000 欧元的赏金,但前提是我要签署一份保密协议,禁止任何公开披露——即使问题已经修复。
我觉得这笔赏金对于漏洞的影响来说太低了,而且要求签署保密协议,禁止在修复后进行任何公开披露,这感觉像是一个大大的危险信号。
我倾向于拒绝这个提议,并在问题修复后进行公开披露——但我真的很想听听大家的意见,看看在这里应该怎么做才是正确的。
谢谢!
查看原文
Hi everyone,<p>I recently found a high-criticality vulnerability in a listed consumer company in the UK. It allows unauthorized access to users’ private messages and even lets you impersonate other users on the platform.<p>They’ve offered a €1,000 bounty, but only if I sign an NDA that prevents any public write-up—even after the issue is patched.<p>I feel the bounty is too low for the impact, and asking to sign an NDA that prevents any public disclosure even post-fix feels like a big red flag.<p>I’m leaning towards declining the offer and doing a public write-up once the issue is fixed—but I’d really welcome opinions from others on what the right thing to do here is.<p>Thanks!