2 upvotes, 2 direct replies (showing 2)
View submission: Announcing Reddit’s Public Bug Bounty Program Launch
Do you think that something that exposes user information in an unintended way, but wouldn't really be any kind of attack vector fit? (because the data exposed can be gathered by other means anyway)
Comment by SirensToGo at 15/04/2021 at 00:29 UTC
8 upvotes, 1 direct replies
Bug bounty programs generally adjudicate based on risk. If an identical thing can be done using normal paths, it’s very unlikely that this bug actually has any risk. If this allows you to bypass rate limits or other controls you may be on to something though!
Comment by pcapdata at 15/04/2021 at 22:05 UTC
1 upvotes, 0 direct replies
Reddit has regulatory requirements to safeguard user data. If the data are available somewhere else, it doesn't relieve reddit from that responsibility.