gsingh93
commented
8 years ago You do not need to submit a patch (but we'd appreciate it if you do, and your bounty will be awarded faster if we agree that the bug deserves a bounty).
If the security issue is something like an RCE or something on that level, we'll get it fixed ASAP. If it it's something like a session invalidation which is not good to have but not really a huge issue, it'll take longer. I can't give any exact time frames.
ghost
I have 2 questions.
Question 1. If I submit a security issue from bugbounty program, do I need to submit a patch?
Question 2. How long does it take to fix a security issue?
This platform is not actively developed, so if someone submit a report from bugbounty program, the patch will not be developed soon. Maybe it takes 3-6 months.
I asked this question because waiting for over 3 months is stressfull...:(
A reporter can not see development on Facebook bugbounty platform like github.
Facebook team will always ignore when a reporter asks update info on bugbounty platform. This means a reporter needs to wait for long period of time without any response from facebook team.
Since this is a open-source, it is not good idea to open a security issue for long period of time. So I just wondered how your team handles security issue...
thanks