Security Vulnerability Disclosure

Discussions focus on researchers' experiences reporting security vulnerabilities to companies, often encountering unresponsiveness, downplaying, or poor handling, alongside debates on responsible disclosure, bug bounties, and company accountability.

➡️ Stable 0.9x Security

3,271

Comments

Years Active

Top Authors

#2061

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

144

2012

162

2013

338

2014

194

2015

234

2016

155

2017

208

2018

191

2019

232

2020

192

2021

227

2022

160

2023

196

2024

242

2025

280

2026

Top Contributors

tptacek (53) nbpoole (9) thaumasiotes (8) ziddoap (8) bawolff (8)

Keywords

AI www.vice HN SolarWinds CERT OSS BugCrowd HackerOne ID LLM security bug bounty vulnerability report security issue issue reports reported email

Sample Comments

MacroChip • Mar 25, 2023 • View on HN

You won't fire off a quick email nor warn others because there's no bug bounty?

coal320 • Jul 9, 2025 • View on HN

Responsible disclosure was given. Developer doesn't seem keen on changing things.

tzs • Nov 8, 2014 • View on HN

You reported it through their security bug reporting form, twice. That's sufficient for now. There are two reasons they may not have acknowledged it.1. You haven't given them enough time to acknowledge it.2. They are not acknowledging it to limit their liability. Suppose a black hat subsequently finds it and uses it to cause harm, and a victim sues. The acknowledgement to you could be used as proof that they knew about the bug before it was exploited.You've done all you s

CiPHPerCoder • Jun 11, 2019 • View on HN

Ever reported a security vulnerability to a company and had it severely downplayed before?

rvba • Dec 14, 2023 • View on HN

This reads more like an advertisement for the person who wrote the post - as they did not even discover the bug, just led security response.

causal • Jan 10, 2024 • View on HN

How did the author "fuck with" the company beyond discovering a vulnerability and helping them fix it?

jorge_leria • Oct 22, 2023 • View on HN

Hey! I'm part of Harvest Security Team. We'll be changing the way we do this, but by the time this happened I triaged the report after reading it because it really looked legit. The reality is that we were never able to reproduce and there was no explicit fix.The issue stayed on Triage state and I missed the reporter updates. I talked to the author of the post and I believe we are in good terms now.The security and privacy of our customers is extremely important to us, everythin

SeanDav • Jul 24, 2017 • View on HN

Although deeply unfair, this is not unusual, there have been many reported cases of companies shooting the messenger.Unless the company concerned has a well documented and trusted bug bounty procedure, it can be very risky to report a bug in a system, if it involves any kind of hacking.What happens is once the "bug" is reported, someone inside the company asks "How did this happen?". Now the person responsible has 2 options, admit it was their fault and the vulnerabilit

thdxr • Jan 12, 2026 • View on HN

hey maintainer herewe've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issueswe're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done

Twisell • May 11, 2018 • View on HN

A lot of Google employees are reading HN and actively posting so no surprise. Did they at least contacted you to properly open a ticket now that they implicitely recognized the vulnerability? Otherwise very very dickish move as it solve nothing and you basically worked for free...