Readit NewsI previously worked with an individual who had been employed by Obama's 2012 campaign and she gleefully described using the same sorts of tactics that were suddenly so scandalous after Trump got elected. The problem here is the amount of data being collected and the potential for and actual instances of abuse, not who is abusing it. But apparently it's totally cool if "your side" is doing it.
Maybe I was cultured to begin with! :D
There is a point when food attributed to a culture but not invented by it gains authenticity - when the culture that it is attributed to adopts it. A few examples:
- Tikka Masala (British)
- Burrito (California)
- Siracha Sauce (California)
- Pepperoni (New York?). But, we're still waiting on Italians on this one.
Deleted Comment
Deleted Comment
Was Valve technically within their rights to ban this researcher? Sure. Was it a move that advanced Valve's interests in any way? Obviously not.
In general, having a Bug Bounty program is good. We can agree on that, right?
Most Bug Bounty programs have a scope, and staying inside the scope is important to the business for reasons. My guess is that most scopes are defined by a combination of confidence in the security of the code, resources to triage vulnerabilities in that part of the code, and the risk to the business from vulnerabilities found in different parts of the code.
That is to say, I suspect that either Valve doesn't have many developers well versed in that part of the code base, or they are not confident in the security of that code base, or they considered it a low priority (even if we disagree about the priority of this vulnerability).
Now, let's pretend that I'm right about those reasons. Even further, let's pretend that they did not include it in the scope because they don't want to pay a bunch of bounties on code they knew was insecure.
(Aside, I'd much rather have companies only include things in bug bounty programs once they're confident they are secure, relying on BB to do your security for you is begging for trouble because then the company isn't taking responsibility for, or even trying, to do things securely)
Given this train of thought, which is making more than a couple assumptions, I don't think their actions are extremely bad or pointless. They are trying to keep their bug bounty program in scope. Bug bounty programs involve a fair amount of trust. If that trust is broken and they don't want that researcher anymore, then that's fair.
There probably should have been better communication. It probably (definitely) shouldn't have been a WONTFIX. Overall, terrible outcome for everybody.
It's just one of those things where every decision looks reasonable in isolation and leads to a really bad outcome and the company looking terrible.
All true and utterly worthless to point out.
> The patch was almost immediately proved to be insufficient, and another security researcher found an easy way to go around it almost right away.
You might want to read the article.
Obviously it would be better if Valve fixed the issue and gave a (possibly reduced due to out of scope) bounty.
And that's actually pretty sad, because Gitlab is the only open-source alternative that can keep up with Github feature-wise.