Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wonder how one should proceed (if not working for any of this big tech companies) when one discover as critical bug as heartbleed?


1. Keep a timeline.

2. Ask to speak to a representative of the people developing the thing on the telephone.

3. Between the two of you, figure out who to tell next.

4. Realize that other people may find the bug, too. You have some time, but not infinite time.


It's only fair to publicly disclose immediately. You can't possibly alert every trustworthy company on earth.

Now, if you want a bug bounty, you have to file a report and wait a certain amount of time before you are allowed to disclose.


You don't want to disclose it before releasing a patch.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: