ensure that any testing is legal and authorized;respect the privacy of others;make reasonable efforts to contact the security team of the organization;provide sufficient details to allow the vulnerabilities to be verified and reproduced;not demand payment or rewards for reporting vulnerabilities outside of an established bug bounty program.Organizations should
provide a clear method for researchers to securely report vulnerabilities;clearly establish the scope and terms of any bug bounty programs;respond to reports in a reasonable timeline;communicate openly with researchers;not threaten legal action against researchers;request CVEs where appropriate;publish clear security advisories and changelogs;offer rewards and credit for discoveries.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4018369/discovery-of-compromised-shellter-security-tool-raises-disclosure-debate.html
