Difference between revisions of "Talk:Security issues"
Maike Short (talk | contribs) (KF got a bounty) |
Soft Linden (talk | contribs) m (tag cleanup) |
||
Line 4: | Line 4: | ||
<del>I am wondering if LL has every actually payed a bounty. I did some asking around in world and there is quite a number of people saying they did not receive any compensation but none that said (s)he got something. In case this is this whole bounty issue is not just some '''PR lie''' it should be way more transparent. Listing the Jira numbers that got a bounty and the ones that did not, including the reason. At least it should be publicly available how long backlog is (number and opening date of last jira processed). The backlog seems to be about two years.<del> | <del>I am wondering if LL has every actually payed a bounty. I did some asking around in world and there is quite a number of people saying they did not receive any compensation but none that said (s)he got something. In case this is this whole bounty issue is not just some '''PR lie''' it should be way more transparent. Listing the Jira numbers that got a bounty and the ones that did not, including the reason. At least it should be publicly available how long backlog is (number and opening date of last jira processed). The backlog seems to be about two years.</del> | ||
<del>I usually provide information about security to the vendors/providers without expecting anything in return beside being mentioned in the public advisory. But if the vendor/provider does make PR with announcing a bounty (and i am not talking about the stunt of "$L10,000" vs. "31€") it should be paid. Otherwise it leads to thoughts about how much a headline "Possible mass account compromise at Second Life because of insecure password transmissions." would be worth. Don't get me wrong I would never sell a bug to the press but promising something and not sticking to it leads to frustrations. A simple solution would be to be honest and remove that section from the (protected) page. --[[User:Maike Short|Maike Short]] 22:46, 4 April 2009 (UTC)</del> | <del>I usually provide information about security to the vendors/providers without expecting anything in return beside being mentioned in the public advisory. But if the vendor/provider does make PR with announcing a bounty (and i am not talking about the stunt of "$L10,000" vs. "31€") it should be paid. Otherwise it leads to thoughts about how much a headline "Possible mass account compromise at Second Life because of insecure password transmissions." would be worth. Don't get me wrong I would never sell a bug to the press but promising something and not sticking to it leads to frustrations. A simple solution would be to be honest and remove that section from the (protected) page. --[[User:Maike Short|Maike Short]] 22:46, 4 April 2009 (UTC)</del> | ||
: I got a report from a friend that she did actually receive a bounty the day before yesterday for an issue that was confirmed and fixed 4 month ago. --[[User:Maike Short|Maike Short]] 16:42, 9 April 2009 (UTC) | : I got a report from a friend that she did actually receive a bounty the day before yesterday for an issue that was confirmed and fixed 4 month ago. --[[User:Maike Short|Maike Short]] 16:42, 9 April 2009 (UTC) |
Latest revision as of 09:04, 9 April 2009
- Could someone update the protected page and remove the outdated information about the old bounty program: "Linden Lab Bounties" --Linden Lab Bounties 18:22, 2 March 2009 (UTC)
- The bounty program still exists for security issues. Unfortunately, the payouts are sometimes a little slow. --Soft Linden 18:27, 2 March 2009 (UTC)
- Well, "a little slow" seems to be a huge understatement. We are not talking about hours or days. Not even weeks. But month and perhaps even years. It feels dead.
- The bounty program still exists for security issues. Unfortunately, the payouts are sometimes a little slow. --Soft Linden 18:27, 2 March 2009 (UTC)
I am wondering if LL has every actually payed a bounty. I did some asking around in world and there is quite a number of people saying they did not receive any compensation but none that said (s)he got something. In case this is this whole bounty issue is not just some PR lie it should be way more transparent. Listing the Jira numbers that got a bounty and the ones that did not, including the reason. At least it should be publicly available how long backlog is (number and opening date of last jira processed). The backlog seems to be about two years.
I usually provide information about security to the vendors/providers without expecting anything in return beside being mentioned in the public advisory. But if the vendor/provider does make PR with announcing a bounty (and i am not talking about the stunt of "$L10,000" vs. "31€") it should be paid. Otherwise it leads to thoughts about how much a headline "Possible mass account compromise at Second Life because of insecure password transmissions." would be worth. Don't get me wrong I would never sell a bug to the press but promising something and not sticking to it leads to frustrations. A simple solution would be to be honest and remove that section from the (protected) page. --Maike Short 22:46, 4 April 2009 (UTC)
- I got a report from a friend that she did actually receive a bounty the day before yesterday for an issue that was confirmed and fixed 4 month ago. --Maike Short 16:42, 9 April 2009 (UTC)