Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.
That seems to be homakov's view, yes, and I can't say I don't understand his view.
If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.
If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.
A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter
B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company
C. Homakov could practice full disclosure
This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.
Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".
I'm not saying I'd do the same in this case, but it's a bit of a stretch to assume people-people morals apply to people-corporate situations.
But twitter is like saying "back off, we are huge and we don't pay researchers a cent". So let it be
Twitter obviously wouldn't drag a hacker to court. I'm saying, in general, don't do this, because other companies might. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case
I'm not saying it's true, but it's plausible that some people in Egor's position think that way. And he seems to like his publicity, so 1+1 = 2.
The term "responsible disclosure" implies that other types are "irresponsible disclosure".
If you discover new information through research, there is nothing irresponsible about publishing it on the open web.
Stop this stupid linguistic battle.
The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.
It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).
Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568
And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240
Perhaps it should, but it doesn't - apps can use the normal API to send DMs without asking for the special DM permission. So the use of the "d" command through the API isn't a vulnerability (it doesn't let anyone do anything they aren't supposed to be able to do), even if it is weird.
Nonetheless, I think it's wrong to have that feature still working.
On HN? Or somewhere else (if so where?) where he is "as famous as PG on HN".
If you mean he is as famous on HN as PG is on HN I don't think that is the case.
HN has become mainstream enough that a lot of readers don't know who pg is. This is what getting linked from reddit, digg, etc leads to. I don't mean this is bad, or good. It's the way it is.
* How famous PG is in HN
* How famous homakov is in HN
This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - http://techcrunch.com/2012/05/26/twitter-get-better/
Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.
There were worse commands, I remember there was a 'follow' command (not sure it was called like that), twitter disabled this
The d command has some user experience value, however, yes, it makes no sense for twitter to accept it on non twitter apps (meaning, those that don't provide the twitter experience - like mobile clients, tweetdeck, etc)
Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.
Free invite link >> https://join.app.net/from/fjjgdclsjq
