top | item 44582820

(no title)

ragona | 7 months ago

(Note; I also work for OpenAI Security — though I’ve not worked on our bounty program for some time. These just my thoughts and experiences.)

I believe the author was referring to the standard BugCrowd terms, which as far as I know are themselves fairly common across the various platforms. In my experience we are happy for researchers to publish their work within the normal guidelines you’d expect from a bounty program — it’s something I’ve worked with researchers on without incident.

discuss

winstonhowes|7 months ago

100%. We want to ensure we can fix real security issues responsibly before details are published. In practice, if a researcher asks to disclose after we've addressed the issue, we're happy for them to publish.

DANmode|7 months ago

In practice, it sounds like you guys didn't accept this dude's valid vuln because he didn't register and sign his life away.