Open/triaged report left without update for >12 months
Opened this issue · 5 comments
Issue: Report is open/triaged for more than 12 months. There is no update from the program for several reasons:
- an asset which report was referring to does not exists anymore (was decommissioned by the program, rebuild with different tech stack and vulnerability is no longer present/not reproducible etc.)
- program is no longer active or was closed before the report was resolved
Despite several requests for update from Hacker, there is no clear response from either a program or platform's triage team.
Prerequisites
- vulnerability was valid at the moment it was reported, and report itself follows all requirements of valid report
- there was no bounty awarded
- report is open/triaged for more than 12 months and there are at least 180 days since the latest activity in the report (update form the platform/program etc.)
Proposed resolution: Platform should respond in <90 days with proposed ways of resolution. Report should be closed either as Informative if there is no clear way to determine the real impact/validity of reported vulnerability (no PoC, screenshots etc.) or as Resolved, if there is a clear evidence that the vulnerability in fact was found and reported in the expected way (report contains screenshots, PoC, video, detailed reproduction steps etc.) and the severity is at least Low
I believe the details about the final state of the report depends on the platform, but in general report should be handled in favor of the Hacker (so it should counts as a valid report, allows to gain reputation or other points awarded by the platform etc.).
Other things to consider:
- if program was paying bounties for valid, resolved reports - what is expected from the platform to be done in such case
- should disclosure be allowed - if yes, who makes the final decision (Platform or Hacker, as platform is no longer a part here)
Exclusion
- report is open for more than 12 months, but program responds in a timely manner that is working on resolution and gives updates in response to Hacker's comments/requests for update
Rationale
I can confirm scenarios described in this issue exists. I have several reports stuck in such situation, some of them are open and triaged for around 4 years now.
Example: I was asked to verify fixes, applied to asset which is no longer even available online. When I commented on this, there was (and still there is not) any response from the platform's triage team member(s) for 9 months now. Report was triaged 3 years ago in a program where, according to statistics, 96% of reports "Meet response standards" defined by platform and average time to resolution is 6 months.
In this case, if the bug was originally validated + triaged by the platform, I think that it should be paid in full. Taking the asset offline may have been a result of receiving the report, and even if it wasn't, the slow response time is not the fault of the hacker.
@hakluke Thank you for the feedback. I'd love to see from the platforms some standardised way of handling such situations.
In your opinion - what is the best way to handle such "ghost reports", which has no chance anymore to be handled in the expected way, but still appears in hacker's Inbox as not fully resolved/closed, followed by complete lack of any response/feedback from the platform/program form months or years?
@bl4de any reason you closed this issue? No commits have been made to the project, and this is still a very real situation which could happen in any bug bounty program.
@ItsIgnacioPortal Was doing just general clean-up across my opened issues/PRs. As there is no activity here for almost 3 years, I assumed it is safe to close it.
I am happy to reopen it if that makes sense.
@bl4de Please do reopen, as no response has been given to this issue. It's a bit ironic that an issue about abandoned reports, was abandoned itself hahah